Angular-oauth2-oidc: Consider ES2015 modules and using individual JS files from jsrsasign

Created on 18 Dec 2017  Â·  12Comments  Â·  Source: manfredsteyer/angular-oauth2-oidc

Hi,

First of all thanks for a great library. I have trying to learn the concepts of OAuth and OIDC and this library comes very handy.

Currently, I tried using this in Angular-CLI project and checked that the application needs entire JS files from angular-oauth2-oidc (32kb) as well as jsrsasign (85kb). That's fairly big chunk to bring the first page as this library would be needed for authentication..

I see that we use quite minimal parts from JSRSAsign lib.

I checked if jsrsasign is ES2015 friendly.. but it appears that there are no immediate plans to move to ES2015 modules. But as the comments notes.. there are smaller bundles available for consumption.

I think using some libs from here should be sufficient for our usage.

Mostly.. we need below packages only.. (or may be even less)
Crypto
JWS
KeyUtil

Hope that can bring down needs of package size for jsrsasign library..

Similarly, I think right now library publishing has some issues leading to usage of entire library (umd.js). package.json specified module field as "module": "angular-oauth2-oidc.js", but this js file is not present in package that was downloaded (v3.1.4) May be that's why entire library must get included currently. Fixing this should bring down size for angular-oauth2-oidc library in overall bundle.

Let me know if you need more information..

investigation-needed
Source
picture dharapvj
👍4

Most helpful comment

https://bundlephobia.com/[email protected]

BUNDLE SIZE 269.6kB MINIFIED
jsrsasign | 79.6% | ~ 214.45 kB
(self) | 18.4% | ~ 49.56 kB
picture unlight on 29 Oct 2019
👍5

All 12 comments

Thanks for this info. Lets consider this for a future release. Ofc, the bug with the main flag needs to be solved soon.

But I have a quick solution for you:

  • If you set the NullValidationHandler instead of the JwksValidationHandler the CLI should tree shake away JSRSAsign. I have not tried it but it should be the case.
  • You can also create an custom ValidationHandler instead of this. This could use a slimmer library.

If you go this way I would be happy about a contribution, e. g. a pull request.

What do you think?

manfredsteyer picture manfredsteyer on 19 Dec 2017

Sure I will give it a try

dharapvj picture dharapvj on 20 Dec 2017

Did you find out sth?

manfredsteyer picture manfredsteyer on 6 Jan 2018

Just ran into this myself. Latest Rollup (0.56.3) does not tree shake jsrsasign away. (or it at least leaves the require('jsrsasign') statement in the bundle)

ccarrasc picture ccarrasc on 1 Mar 2018

This is still an issue even with the NullValidationHandler
image

Anyone has an idea on what to do ?

bilelmsekni picture bilelmsekni on 10 Apr 2018

Thanks for this feedback. I will make this one priority for version 4.1.
4.0 will come with Angular 6 support and then I will hunt this down. It's an important thing.

manfredsteyer picture manfredsteyer on 12 May 2018
👍1

I've made this here: https://github.com/manfredsteyer/angular-oauth2-oidc/pull/356
Which will fix these issues and reduce dependancies size down to a very tiny amount.
However it comes at the cost of breaking changes (if we go for window.crypto)

Toxicable picture Toxicable on 16 Jun 2018
🎉4

If you are building with webpack and know that you do not use the functionality that is provided by jsrsasign, you can get rid of the dependency with the help of webpack (in my case webpack 4)

We created a mock for the two modules used from jsrsasign

jsrsasign.js

module.exports.KEYUTIL = {
    getKey: b => null,
};

module.exports.KJUR = {
    jws: {
        JWS: {
            verifyJWT: (...a) => null,
        },
    },
};

Now all you have to do is add the following to your webpack config
webpack config

{
    resolve: {
        alias: {
            jsrsasign$: 'path/to/your/jsrsasign.js',
        }
    }
}

This will replace the dependency with your own file, reducing the bundle size drastically.
Just ensure that you are not using any functionality that relies on it.

iMarv picture iMarv on 24 Aug 2018

any news for this issue ? Indeed it really heavy in my webpack analyze...

jogelin picture jogelin on 20 Sep 2019

https://bundlephobia.com/[email protected]

BUNDLE SIZE 269.6kB MINIFIED
jsrsasign | 79.6% | ~ 214.45 kB
(self) | 18.4% | ~ 49.56 kB
unlight picture unlight on 29 Oct 2019
👍5

we are using the NullValidationhandler and with angular/[email protected] jsrsassign still gets its way into the production bundle.

banjankri picture banjankri on 6 Mar 2020

The maintainer chose a different route to fix this in Version 9.x, which does require switching to Code+PKCE flow (the new recommendation for SPA's).

I will close this issue because I think the most honest current way of things is that for Implicit Flow with JWKS, or for versions <9.x, this will not be resolved.

To summarize, your optins for getting rid of jsrassign and its impact on your bundle size:

  • Use v9.x of the library with Implicit Flow but do not use the JwksValidationHandler and its package (that depends on the jsrasign)
  • Use v9.x of the library with Code Flow, that does not need JWKS at all
jeroenheijmans picture jeroenheijmans on 6 Mar 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

zulander1 picture zulander1  Â·  4Comments
medokin picture medokin  Â·  4Comments
Maximaximum picture Maximaximum  Â·  3Comments
rbkrabbe picture rbkrabbe  Â·  4Comments
prmces picture prmces  Â·  4Comments