Bugfix

#515 caused a regression. We resolve it now by:

• catching a timeout error
• using a config property waitForTokenInMsec for the timeout
• this config property is set to 0 by default to be compatible with older versions of this lib

Code + PKCE

Features

• Tested with Angular 8
• Code Flow + PKCE (RFC 7637) to align with OAuth 2.0 Security Best Current Practice
• Support for refresh_token and automatic refresh when using Code Flow
  • See mentioned Best Current Practices document for things to consinder

More information about this can be found in the docs:

• https://manfredsteyer.github.io/angular-oauth2-oidc/docs/additional-documentation/code-flow-+-pcke.html
• https://manfredsteyer.github.io/angular-oauth2-oidc/docs/additional-documentation/refreshing-a-token.html

PR

Big thanks to all contributors for providing 21 PRs for this release! You all are awesome!!!

Proposal: Add implicit flow through popup
#468 by leonardochaia

Improve default oauth interceptor investigating
#515 by simonmulser was merged

feat: Upgrade to angular 8
#573 by killzoner was merged

Improve documentation for events
#520 by jeroenheijmans

Added customUrlValidation
#331 by vytautas-pranskunas-

Properly implements openUri for implicit flow
#369 by nhance was merged

Refresh the timers after configuration has changed
#382 by FabienDehopre

Cleanup timers when OAuthService is destroyed
#463 by leonardochaia

Fixed HTTPS error messages in service
#510 by bobvandevijver

Calculate the timeout using now as a reference
#487 by filipvh

Add documentation about configuring custom OAuthStorage
#512 by dennisameling

update README re: discovery doc validation disabling
#521 by cconcannon

optionally use crypto to generate nonce
#540 by ChristianMurphy

Pause silent refresh if user has logged out
#526 by l1b3r

Skip issuer check in processIdToken if skipIssuerCheck is true
#527 by ismcagdas

Corrects how localStorage could be used
#533 by ManuelRauber

Add noPrompt parameter to setupAutomaticSilentRefresh method
#536 by remiburtin

feature: Abort current implicit flow
#537 by enricodeleo

Fix spelling mistake
#544 by peterneave

Only present the sendAccessToken interceptor mechanism in the Readme
#554 by nhumblot

Added clock skew parameter
#569 by nenadmaricic

5.0.2

Unfortunately, we had to defer the removal jsrsasign. We will still look into this as it allows an amazing reduction in bundle size.

Version 5: Angular 7

Major Features

• Tested with Angular 7

Deferred

• Smaller footprint (-86% compressed) thanks to using browser apis instead of a lib for validating the id_token's signature (Thx Toxicable)

All Features and Bugfixes

• Update to Angular 7 #456 (akehir)
• feat: remove jsrsasign dependancy #356 (Toxicable)
• Decouple OAuthService from console #427 (jeroenheijmans)
• upgrade example to new rxjs (6?) syntax with operators in .pipe() #399 (hellerbarde)
• Docs: fix english #398 (lukasmatta)
• Use responseType parameter #397 (mpbalmeida)
• Clarify imports in README example #372 (jeroenheijmans)
• Change 'Authentication' to 'Authorization' #371 (jeroenheijmans)
• Properly implements openUri for implicit flow #369 (nhance)
• Issue #343 onTokenReceived callback is not called if no iodc - after tr… #345 (denisbeklarov)
• Make all of the login functions return Promise #339 (ajpierson)
• Session check changed to run outside of Angular zone #441
• Resolves #439 #448 [use protected vs private]

Thanks to all Contributers

Big thanks to ajpierson, denisbeklarov, Fabian Wiles, jdgeier, Jeroen Heijmans, Lukáš Matta, Marcos Paulo Belasco de Almeida, Martin Černý, Nicholas Hance, P. Stark, Raphael Ochsenbein

You all are awesome!

Thanks for Moderation

Also, big thanks to Jeroen Heijmans for moderating and answering a lot of questions in this github repo.

4.0.2

• Redirect to logoutUrl, even if there is no id_token #322
• Resolved some issues in documentation (broken links, added clarifications)

Thanks to all the contributors for the discussions and hints in the issues section and for filing PRs. You are awesome!

4.0.1

PR

Fixed bug with required grant and made allowedUrls optional #312

4.0.0 - Angular 6 support

Version 4.0.0

Features

• Angular 6 support
• Upgraded to CLI 6 based monorepo

Pull Requests

• Get granted scopes #274
• Upgraded to Angular 6 #304
• use custom encoder to allow + in password #272
• Adds a new configuration option to allow external control over how the login page is opened #235
• Fix typo in the interceptor docs #234
• fix: run tokensetup outside ngzone #233
• Fixes typo in readme #232
• Fix typo in docs #231
• State improvements #224
• Added support for logout using client id. #201
• Updates repository and bug url in package.json #192

Thanks to all contributers! You are awesome!

3.1

• Introduces a default HttpInterceptor for error handling and sending the access_token to the resource server

• Fixed Issues: #166 #167 #170 #171 #173 #174 #177 #184 #188

Big thx to all the contributers

3.0.1

Features

• Supports Angular 5 (#162, #152, #165)
• Supports Angular 4.3+
• Uses HttpClient instead of Http
• Auto redirect log in Identity Server #157
• Allow custom parameter for password flow #158
• Add method getRefreshToken() #164
• Silent refresh with token_hint (closes #155)
• Integration with angular seed #121

Fixed

• Events and onTokenReceived seemingly not working. #133
• sessionChecksEnabled = false is not respected if discovery doc contains check_session_iframe #132

Breaking Changes

• As we now depend on the new HttpClient instead of the Http(Service) deprecated with Angular 5, we need >= Angular 4.3 (--> Version 5.x is also fine).

Big thanks to all the contributers for helping to make this possible!

2.1.3

• Fix or at least narrow down #92