Announcing Angular-Oauth2-Oidc, Version 2

Announcing Angular-Oauth2-Oidc, Version 2

Today, I've released a new version of the angular library angular-oauth2-oidc, which allows for implementing token-based Security using OAuth2/ OpenId Connect and JWTs with Angular.

This new major version comes with some breaking changes. You find a list at the beginning of the updated readme. I think they won't affect everyone and even when you are affected you should be able to deal with them quite quickly.

Silent Token Refresh

Silent Refresh was the most requested feature for this library. It is a standard compliant way to refresh your tokens when/ before they expire using implicit flow.

If the application is prepared for it, performing a silent refresh is as easy as this:

    .then(info => console.debug('refresh ok', info))
    .catch(err => console.error('refresh error', err));

By leveraging the new events observable, an application can automatically perform such a refresh when/ sometime before the current tokens expire:

    .filter(e => e.type == 'token_expires')
    .subscribe(e => {

More information about this can be found within the updated readme.

Validating the signature of id_tokens

The library can now directly validate the signature of received id_tokens. For this, just assign a ValidationHandler:

import { JwksValidationHandler } from 'angular-oauth2-oidc';


this.oauthService.tokenValidationHandler = new JwksValidationHandler();

The JwksValidationHandler shown here uses the JavaScript library jsrasign to validate the signature directly in the browser without the need to call the server.

You can also hook in an own ValidationHandler by implementing an interface.

More Security Checks

Some additional security checks have been added. The library insists on using https now and only makes an exception for localhost. It also validates the received discovery document.


If you are using it or if you are trying it out, don't hesitate to send me some feedback -- either directly via my blog or via GitHub.