Releases: manfredsteyer/angular-oauth2-oidc
19.0.0
18.0.0
17.0.2
- chore: Update jsrsasign due to CVE-2024-21484 Marvin attack of RSA and RSAOAEP decryption #1393
15.0.0
12.1
12.0.0
12.0.0
Bug Fixes
- #728 (51e438a), closes /github.com/manfredsteyer/angular-oauth2-oidc/issues/728#issuecomment-808969225
- clear location.hash only if it is present (c2b2753), closes #970
- correctly handle ? and & in location replacements (70fd826)
- Disable nonce validation for id token for e2e tests (f5bd96c)
- fix scope/state removal for implicit flow with hash (9e257d0)
- in code flow pass options to error handler (c9a2c55), closes #972
- jwks: update jsrsasign dependency to 10.2.0 (a05bd8a), closes #1061
- multiplying calls to token endpoint in code flow (59f65d2)
- Refresh tokens with a plus sign get corrupted before sending to token endpoint (2204c5a)
- revoketokenandlogout: 'customParameters' should accept boolean (9761bad)
- While Using POPUP mode, we click on login button multiple time it opens multiple popup instead of focusing already opened (bbff95b)
Features
- introduce DateTimeProvider (0c0a4a7)
- logout: postLogoutRedirectUri should not default to redirectUri (ff7d1d9)
- support JWT response on userinfo endpoint (da16494)
- Custom grant type added (#919)
- Listen for storage to receive auth hash from popup (#935)
- Add event for unchanged session (#936)
- Add loginHint to codeFlow (#938)
- Add a windowRef option to initLoginFlowInPopup to prevent the window from beeing blocked by popup blockers (#965)
- Use configured revocationEndpoint by default (#1020)
Thanks to all the contributors: Miguel Serra, Manuel Rauber, Frank Rosner, Everson R R Moura, meysam gheysaryan, Nikolay, Patrick Westerhoff, Jonathan Yee, Flofie, Dirk Bolte, Sebastian Abshoff, Paweł Dymiński, Bala Charan Nihanth Mutluru, Torkill Strømmen, codeepic, sven-codeculture, Mohamed AbdelAal, Chaz Gatian, Réda Housni Alaoui, huy2nhan, Lin Jie, Taras Krasnytsia, Josselin Francois Downey, BobCui, Mike, Jeroen Heijmans, coyoteecd
Special Thanks to the one and only Jeroen Heijmans for moderating the forum/ issues.
10.0.0
- Tested with Angular 10
- Details: see changelog.md
9.2.0
9.1.0
Features
- automatic silent refresh: stopAutomaticRefresh stops all timers. (8ab853b)
- code-flow: allow using silent refresh by setting useSilentRefresh to true (93902a5)
- sample: Also use new Identity Server 4 for implicit flow demo to prevent issues with same site cookies (58c6354)
- session checks: Session checks work now for code flow too. Please see docs for details. (4bf8901)
Bug Fixes
- code flow: Fixed code flow for IE 11 (0f03d39)
- sample: use hash-based routing (3f44eca)
- session state: save session_state also when using code flow (8fa99ff)
- state: passing an url with a querystring as the state, e. g. url?x=1 (71b705c)
- #687 (e2599e0)
- missing HttpModule dependency (7eac8ae)
- run tokensetup outside ngzone (07bb62d)
- typo (3d331f2)
Pull Requests
- Update sample app and silent-refresh.html script #755, linjie997
- Add optional state parameter for logout, pmccloghrylaing
- fix customHashFragment usage in tryLoginCodeFlow, roblabat
- replace document with injectionToken #741, d-moos
- Support predefined custom parameters extraction from the TokenResponse, vdveer
- Fixed not working silent refresh when using 'code' #735, ErazerBrecht
Thanks
Big Thanks to all contributers: Brecht Carlier, Daniel Moos, Jie Lin, Manfred Steyer, Phil McCloghry-Laing, robin labat, vdveer
Also, big thanks to jeroenheijmans for doing an awesome job with moderating and analyzing the issues!
9.0.0
New Features/ Merged PRs
- ~ 50% less bundle size for code flow (recommended flow) due to putting non-treeshakable code only needed for implicit flow (not recommended anymore) into an lib of its own (see breaking change, below)
- New demo-project quickstart-demo shows most important aspects for code flow
- Angular 9 upgrade #718, jeroenheijmans
- Fix for issue 661 #720, mike-rivera
- Set userinfoEndpoint if userinfo_endpoint not exists #685, luciimon
- Add more types in OAuthService #684, vadjs
- Fix destroying route via silentRefresh when using hash strategy (Issue 277) #672, tpeter1985
- Clean up more resources in ngOnDestroy #666, Andreas-Hjortland
- Fix positioning of popup login window #664, Andreas-Hjortland
- Fixed not using config.openUri in code flow #660, axle-h
- Merge pull request #656 from dirkbolte/improve-error-for-missing-endpointUrl, dirkbolte
- Add more guides on another way to use loadDiscoveryDocumentAndTryLogin #648, jonyeezs
- Added popup related error handling for implicit grant, dekundu
- Support hash location strategy with code flow #634, gingters
- Unsubscribe from 'token_received' events before re-subscribing #630, l1b3r
- Correct implementation of rfc7636 section 4.1 #629, jfyne
- During session check, ignore messages with irrelevant origin #617, Maximaximum
- Allow clockSkewInSec to be different from 600 #615, vdveer
- Fixing disableAtHashCheck, not being recognized correctly #613, dorianweidler
- Add support for code flow silent-refresh and popup #609, KevinCathcart
- Always set expiration timers for valid token types #597, harmpauw
- Validate self when calling crypto provider #588, ryanmwright
- Removed duplicated condition for allowedUrls during interceptor logic and make it optional #584, adrianbenjuya
- Add CryptoHandler to public api. #583, Chris3773
Big Thanks to all Contributers
adrianbenjuya, Andreas-Hjortland, axle-h, Chris3773, dekundu, dirkbolte, dorianweidler, gingters, harmpauw, jeroenheijmans, jfyne, jonyeezs, KevinCathcart, l1b3r, luciimon, Maximaximum, mike-rivera, ryanmwright, tpeter1985, vadjs, vdveer
Also, big thanks to jeroenheijmans for doing an awesome job with moderating and analyzing the issues.
You all rock!
Resolved Bugs
- AutoSilentRefresh doesn't work after refresh the page bug #444
- Event type 'received_first_token' is never fired bug #564
- loadUserProfile will return roles of last user if current user has no roles assigned bug investigation-needed #580
- OAuthResourceServerConfig: customUrlValidation not used when allowedUrls not set bug future-version pr-welcome #593
- Url Helper Service should not discard question marks when parsing hash fragment bug investigation-needed #604
- Code Flow erroring out due to multipe expiry events bug pr-welcome #632
- Emit token_expires if token has already expired bug #637
- Unhandled Promise rejection: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document bug #641
- postMessage interfering issue bug #657
- Does Authorization Code Flow work with loadDiscoveryDocumentAndLogin(); bug #661
- Refresh timer not started after page reload bug investigation-needed #683
- refresh with code flow bug #688
- Debug mode with custom Logger breaks bug pr-welcome #709
- tryLoginCodeFlow Removing ? from URL Which is Invalid bug investigation-needed
Breaking Changes
With regards to tree shaking, beginning with version 9, the JwksValidationHandler has been moved to a library of its own. If you need it for implementing implicit flow, please install it using npm:
npm i angular-oauth2-oidc-jwks --save
After that, you can import it into your application by using this:
import { JwksValidationHandler } from 'angular-oauth2-oidc-jwks';instead of that:
import { JwksValidationHandler } from 'angular-oauth2-oidc';Please note, that this dependency is not needed for the code flow, which is nowadays the recommended flow for single page applications. This also results in smaller bundle sizes.