Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
auth0-angular
Advanced tools
This SDK is for use with Lock v9. For use with Lock 10, see the angular-lock and angular-auth0 wrappers.
This AngularJS module will help you implement client-side and server-side (API) authentication. It can be used together with Auth0 to add support for username/password authentication, enterprise identity providers like Active Directory or SAML and also for social identity providers like Google, Facebook or Salesforce among others to your web, API and native mobile apps.
Auth0 is a cloud service that provides a turn-key solution for authentication, authorization and single sign-on.
auth0-angular
supports events and promised-based actionsauth0-angular
together with angular-storage
and angular-jwt
can handle the complete token lifecycle, including storing, expiration and renewal.bower install auth0-angular
npm install auth0-angular
<script type="text/javascript" src="//cdn.auth0.com/js/lock-9.0.js"></script>
<script type="text/javascript" src="//cdn.auth0.com/w2/auth0-angular-4.2.5.js"></script>
Warning: If you use a CDN or download these scripts manually, be sure to include the versions of
auth0-lock
orauth0.js
that match the versions specified in thebower.json
.
angular.module('myCoolApp', ['auth0'])
.config(function(authProvider) {
// routing configuration and other stuff
// ...
authProvider.init({
domain: 'mydomain.auth0.com',
clientID: 'myClientID',
loginUrl: '/login'
});
})
.run(function(auth) {
auth.hookEvents();
});
// LoginCtrl.js
angular.module('myCoolApp').controller('LoginCtrl', function(auth) {
$scope.signin = function() {
auth.signin({
authParams: {
scope: 'openid name email' // Specify the scopes you want to retrieve
}
}, function(profile, idToken, accessToken, state, refreshToken) {
$location.path('/user-info')
}, function(err) {
console.log("Error :(", err);
});
}
});
<a href="" ng-click="signin()" />
// UserInfo.js
angular.module('myCoolApp').controller('UserInfoCtrl', function(auth) {
// Using a promise
auth.profilePromise.then(function(profile) {
$scope.profile = profile;
});
// Or using the object
$scope.profile = auth.profile;
});
<!-- userInfo.html -->
<span>{{profile.name}} {{profile.email}}</span>
There're many more things that you can do with auth0-angular
in conjunction with angular-storage and angular-jwt.
There are three modes to handle authentication with all the providers (e.g. Facebook, Linkedin, GitHub, AD, LDAP) that Auth0 can handle: redirect, popup, and resource owner (/oauth/ro
) CORS calls.
When using redirect mode, the user will be redirected to the provider's login page for authentication. After authenticating, the user will be redirected back to the application with the requested user information in the hash fragment, which can be handled with Angular events. This implies that the application will be reloaded completely when the authentication flow is initiated.
Popup mode will open a popup window displaying the provider's login page. After authentication, the popup will close and return control to the application. The requested user information will be available through a callback function and will not reload the page.
Database connection users can be authenticated by making a CORS call to /oauth/ro
, passing a username and password.
Does not reload the page.
auth0-angular depends on either auth0.js
or auth0-lock.js
.
If you want to use Auth0's beautiful Lock UI, you need to include auth0-lock.js
. This lets you configure Title and Icons, but the UI is taken care for you. For all the customization properties, please check out this link
Otherwise, if you'll use a custom UI, you need to include auth0.js
.
It's important to note that these scripts must be included before auth0-angular.
If you're using bower
or npm
, these scripts are set as dependencies of auth0-angular so that you choose the best for you. Otherwise, you can include them from the CDN:
<!-- Either this -->
<script type="text/javascript" src="//cdn.auth0.com/js/auth0-lock-7.js"></script>
<!-- or -->
<script type="text/javascript" src="//cdn.auth0.com/w2/auth0-6.7.js"></script>
Parameters between []
are optional.
Logs in a user, returning tokens and their profile information.
Lock will be displayed if included, otherwise a login will be performed with the specified identity provider (connection
).
If success and error callback functions are supplied, popup mode will be used. This will not reload the page.
auth.signin({}, function(profile, idToken, accessToken, state, refreshToken) {
// All good
$location.path('/');
}, function(error) {
// Error
})
A connection
parameter can be passed to log in a user without displaying Lock.
When using database connections, username
and password
can be passed as well.
The snippet below will perform a to a call to /oauth/ro
:
auth.signin({
username: $scope.username,
password: $scope.password,
connection: 'Username-Password-Authentication'
}, function(profile, idToken, accessToken, state, refreshToken) {
// All good
$location.path('/');
}, function(error) {
// Error
}, 'Auth0')
Redirect mode will be used when not passing success or error callbacks. In this case, login success and failure are handled with events:
// app.js
module.config(function(authProvider) {
authProvider.on('loginSuccess', function($location, profilePromise, idToken, store) {
profilePromise.then(function(profile) {
store.set('profile', profile);
store.set('token', idToken);
});
$location.path('/');
});
authProvider.on('authenticated', function($location) {
// This is after a refresh of the page
// If the user is still authenticated, you get this event
});
authProvider.on('loginFailure', function($location, error) {
$location.path('/error');
});
});
// LoginCtrl.js
auth.signin();
The complete Lock API is documented here.
Displays Lock in signup mode, and logs the user in immediately after a successful signup.
Accepts the same options and parameters as auth.signin
.
Performs the "forgot your password" flow.
If using auth0.js
, it will send an email to confirm the password change. See the documentation here.
If using Lock, the widget will be displayed in "reset password" mode.
In this case, this method accepts the options and parameters as auth.signin
.
This logs the user out locally by deleting their token from local storage.
Reauthenticates the user by using a stored profile and token without going through the login flow. You can read more about this subject in this article.
Once a user has successfully logged in, this property will contain their profile.
If you want to use information from auth.profile
only after the user is logged in, you can just do a $watch
on this property to wait until it's set.
Same as auth.profile
, but as a promise.
If the user has not attempted a login yet, this will be null
.
This flag returns whether there's a user authenticated or not.
API to link multiple accounts to primary account
Note that options.connection
must be provided because it tells Auth0 which account to link to
These properties contain the tokens returned after the user is logged in. Mostly for internal usage.
auth0-angular
hooks to internal Angular events so that a user will be redirected to the login page if trying to visit a restricted resource.
For that, you need to hook auth0-angular
to all of these events on application run.
First, configure the restricted routes:
// Using ngRoute
module.config(function($routeProvider) {
$routeProvider.
when('/info', {
templateUrl: 'info.html',
controller: 'InfoCtrl',
requiresLogin: true
}).
when('/login', {
templateUrl: 'login.html',
controller: 'LoginCtrl'
});
authProvider.init({
domain: 'domain',
clientID: 'clientID',
callbackUrl: location.href,
loginUrl: '/login'
})
})
// Using ui-router
module.config(function($stateProvider) {
$stateProvider.
state('info', {
url: '/info'
templateUrl: 'info.html',
controller: 'InfoCtrl',
data: {
requiresLogin: true
}
}).
state('login', {
url: '/login'
tempalteUrl: 'login.html',
controller: 'LoginCtrl'
});
authProvider.init({
domain: 'domain',
clientID: 'clientID',
callbackUrl: location.href,
loginState: 'login'
})
});
Then, call hookEvents
in the run
method:
module.run(function(auth) {
auth.hookEvents();
});
To learn more about routing and using ngRoute
or ui-router
, please read this tutorial.
This method does a token delegation request, which means exchanging the current token for another one.
There are two cases:
auth.getToken({
api: 'firebase' // By default it's going to be the first active addon in the list of addons
})
iss
claim) and signed with its client secret.
Returns a promise.auth.getToken({
targetClientId: 'other client id',
api: 'auth0' // We want the Auth0 ID_token of the other API
})
To learn more about delegated access, please refer to the authorization API documentation.
JSON Web Tokens have an expiration date, indicated by the exp
claim. If you don't want your user to log in again, the current token can be refreshed. Refreshing a token means using that token before it has expired in order to obtain a new one with a later expiration date.
For example, suppose you have a token valid for 10 hours. After 9 hours, you could refresh the token to get a new token which will be valid for another 10 hours.
The renewed token will be requested with the same scopes as the original token, by using a special passthrough
scope. To request different scopes, use getToken()
. Returns a promise.
Given an id_token
which might have expired, use the refresh_token
to get a renewed id_token
.
You use this method to configure the auth service. It can be used either from the provider in the config
method of your app, or anywhere else in the application from the auth
service by calling auth.init
. You can set the following options:
true
. This will mean that if a user signs in to app 1, when he tries to use app 2, he will be already logged in.The following events can be handled:
auth.authenticate
. In the handler, you can inject any service you want.profileProfile
and idToken
from the user.error
which was thrown.When using redirect mode, it's mandatory to handle login events in this way.
In the case of popup mode, events can be handled this way or by using a promise on auth.signin
.
This is the list of all of the available tutorials & samples.
Check the CHANGELOG file to see the changes from version to version.
Read here how to run auth0-angular tests
Auth0 helps you to:
If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
This project is licensed under the MIT license. See the LICENSE file for more info.
FAQs
Angular SDK to use with Auth0
The npm package auth0-angular receives a total of 95 weekly downloads. As such, auth0-angular popularity was classified as not popular.
We found that auth0-angular demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 6 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.