Angular-oauth2-oidc: Announcement: Version 8 is coming

Feel free to send ping or DM me when you'd need a beta tester 👍

Any plans for offline support ? #545

Good question. I think it will be easier, as with code flow we will support refresht tokens.

Btw: You can already trigger a token refresh by hand. There is a method, sth. like silentRefresh.

I'm using Silent Refresh already (may be I'm using it wrong).
Try it
1) Use a very small time for your access token (like 120 seconds).
2) Run your app
3) Use chrome tools to go Offline
4) Check the errors

I appreciate any guidance here

I think there's some confusion. There's two uses of the word "offline":

• Issue #545 talks about being offline.... from the internet. As in, physical connection problems and the like.
• The term "offline" is also used for a specific grant in openid/oauth2 that indicates the Client wants to get a refresh token (it's a confusing term when used in a browser Client, tbh)

The latter is already supported, if you use this library with the Password flow you can ask for "offline" scope and get a refresh token. In the Implicit flow this scope isn't used, I think. With (variants of) the Code flow it _is_ used (I think?) so that might get support in v8?

But for the first item, in #545, I think that's something else entirely?

@jeroenheijmans totally agree on the confusion.

Yes, the problem is with "offline" connection (which is 2 ways: the client might lose connection or the server is down or unreachable).
Once the access token expires (or the silent refresh is working), it tries to reach out the issuing server for renewal.
If there is no internet connection, there should be proper handling, rather than throwing errors (like its doing now). It should do some sort of queuing or waiting or retrying mechanism.
Once the connection is online, the "silent refresh" _should_ resume working as expected.

@manfredsteyer @jeroenheijmans is this coming only post angular 8 release?? I presume there would be no challenge in using the same version on angular 6 and rx 6! We're looking forward for PKCE flow and we may not upgrade to ng 8 yet.

Note that I have no say in this, I just try to help out by (and enjoy) supporting users of this library.

I _presume_ though that the readme part about release cycle still holds, and that (presumably because of personal time constraints) new major versions typically align with and require new versions of Angular and possibly RxJs. So most likely you'd need to backport changes or create a custom fork/branch yourself to have v8 features in

@jeroenheijmans thanks for letting me know what has to be done :) really helpful... Let me see if i can fork a branch and backport as you suggested.. I could try angular 5 with v5.0.2 (of this library) with just an rxjs compat and things were smooth... Just being greedy here if the same can be assumed with this release as well :)

Yes, it's as @jeroenheijmans says. We test the current lib version only with the current Angular version. It may work with an older Angular version, but no guarantees.

Any details on the release?

Would be lovely to see this release soon

any updates?

waiting! :)

https://github.com/manfredsteyer/angular-oauth2-oidc/pull/568

Behold.

I updated to Angular 8 and cleaned up the code a bit, but I'm not sure what to do about:

Support for Code Flow + PKCE to align with the current Best Practice document
Dramatically smaller Bundles Sizes by using browser-internal crypto APIs

Using browser internal crypto api's isn't something I'm really comfortable with, I'm in no way specialized in security. As far as I can see the import * as rs from 'jsrsasign'; has to be replaced with crypto.subtle. Which I can do, but I would like some input for that or someone else to check my work.

If anyone has an idea on how to approach this, please tell me so I can build it.

Just for info. I upgraded my project to Angular 8, and oauth is still working fine.

@manfredsteyer Any info when we can expect a version with support of Authorization Code + PKCE?

Is there an ETA for this yet?

any updates? Angular 8 is released for a while now..

I had to postpone it, but I've reserved some time for it in July.

The good message is, everything works with the current version (even though there are peer dependency warnings which will go away when version 8 lands).

@manfredsteyer I've tried implementing the crypto api, but I'm having a hard time with encoding, decoding and verifying. Having issues with arraybuffers.

I messed around in a branch that I branched from my upgrade-angular-8 branch in my own fork (https://github.com/lwensveen/angular-oauth2-oidc/tree/feature/implement-browser-crypto). Dunno if this might be handy for you or someone else.

This is great! Thanks for the info. Does it work? I guess, we need something like this in this library. I'm thinking about another tokenValidationHandler which uses the browser's native crypto api.

What do you think?

@manfredsteyer No it doesn't. Like I said, the crypto api uses arraybuffers for everything and I can't get those to decode properly. Might be doing it wrong though. First I tried the functions described here: https://developers.google.com/web/updates/2012/06/How-to-convert-ArrayBuffer-to-and-from-String

Later I used https://developer.mozilla.org/en-US/docs/Web/API/TextEncoder

Seems like a fine idea to put it into a separate handler for now.

Ad using subtle crypto, see also: https://github.com/damienbod/angular-auth-oidc-client/issues/26

I had to postpone it, but I've reserved some time for it in July.

The good message is, everything works with the current version (even though there are peer dependency warnings which will go away when version 8 lands).

We're looking forward to the update. Is there anything that you need help with @manfredsteyer ?

@jeroenheijmans This code is no longer in there, but I can see if I can get it to work.

EDIT: It seems he just introduced new dependencies, where I tried to directly use cryptosubtle.

Or am I missing something?

-Support for Code Flow + PKCE to align with the current Best Practice document
I am waiting for this feature. Any date for release v8?

Me too.

@volkanokcu If you can't wait at all you can use this fork https://github.com/bechhansen/angular-oauth2-oidc but it is still at version 4.0.1

I also need Support for Authorization Code Flow for a current project and unsure if to wait for the next release of this library or if I'll have to use the one linked above.

@manfredsteyer Can you make an estimation on when the relase could posibly come out?

Version 8 is out:
https://github.com/manfredsteyer/angular-oauth2-oidc/releases/tag/8.0.0

We have Code + PKCE + Token Refresh now.

Looking forward to your feedback.

Getting rid of the big crypto api when not supporting IE is still an open task.

@lwensveen is working on it (see above). Can anyone help him with the current show stoppers.

Welcome!

Info now seems to be out there in the relevant places:

• The GitHub releases
• The NPM package

Some bug fix minor releases have already come after.

Going to clean up and close this issue, if anyone has problems with v8 (or in general) feel free to open a fresh issue!