jeroenheijmans / sample-angular-oauth2-oidc-with-auth-guards

Basic example of how to integrate the angular-oauth2-oidc library in an Angular SPA utilizing AuthGuards.
MIT License
262 stars 112 forks source link
angular angular-oauth2-oidc typescript

Example angular-oauth2-oidc with AuthGuard

This repository shows a basic Angular CLI application with the angular-oauth2-oidc library and Angular AuthGuards.

Lint-Build-Test

⚠ Third-party Cookies

TLDR 👉 See my "SPA Necromancy" blogpost for all options and workarounds known to me.

Browser vendors are implementing increasingly strict rules around cookies. This is increasingly problematic for SPA's with their Identity Server on a third-party domain. Most notably problems occur if the "silent refresh via an iframe" technique is used.

This repository uses that technique currently, starting with a silentRefresh(). This will fire up an iframe to load an IDS page with noprompt, hoping cookies get sent along to so the IDS can see if a user is logged in.

Safari will block cookies from being sent, prompting a leading OAuth/OpenID community member to write "SPAs are dead!?". In fact, if you fire up this sample repository on localhost, which talks to demo.duendesoftware.com (another domain!), and use it in Safari: you will notice that the silent refresh technique already fails!

For reference, see issue #40, or my blogpost that explains workarounds and solutions.

Features

⚠ To see the Implicit Flow refer to the implicit-flow branch (which might be getting outdated, since Code Flow is now the recommended flow).

This demonstrates:

Most interesting features can be found in the core module.

Implicit Flow

If you need an example of the Implicit Flow check out the last commit with that flow or even earlier versions. For new applications Code+PKCE flow is recommended for JavaScript clients, and this example repository now demonstrates this as the main use case.

Usage

This repository has been scaffolded with the Angular 5 CLI, then later upgraded to newer versions of the Angular CLI. To use the repository:

  1. Clone this repository
  2. Run npm ci to get the exact locked dependencies
  3. Run npm run start (or start-with-ssl) to get it running on http://localhost:4200 (or https://localhost:4200)

This connects to the demo Duende IdentityServer instance also used in the library's examples. The credentials and ways of logging in are disclosed on the login page itself (as it's only a demo server).

You could also connect to your own IdentityServer by changing auth-config.ts. Note that your server must whitelist both http://localhost:4200/index.html and http://localhost:4200/silent-refresh.html for this to work.

You can run the end-to-end tests using:

  1. Run npx playwright install to grab the Playwright browsers
  2. Run npm run test to run the specs

Differences between Identity Server options

This repository demonstrates features using https://demo.duendesoftware.com (Duende IdentityServer). There are various other server side solutions available, each with their own intricacies. This codebase does not keep track itself of the specifics for each other server side solution. Instead, we recommend you look for specific guidance for other solutions elsewhere. Here are some potential starting points you could consider:

Feel free to open an issue and PR if you want to add additional pieces of guidance to this section.

Example

The application is supposed to look somewhat like this:

Application Screenshot