Update oAuth Config and switch to PKCE authorization)

2025-12-28 22:42:11 +01:00 · 2020-02-06 15:25:21 +01:00
parent 7dc63d311f
commit 0a66c0ddfc
6 changed files with 33 additions and 18 deletions
--- a/libs/sso/package.json
+++ b/libs/sso/package.json
@@ -4,6 +4,6 @@
  "peerDependencies": {
    "@angular/common": "^7.2.0",
    "@angular/core": "^7.2.0",
-    "angular-oauth2-oidc": "^5.0.2"
+    "angular-oauth2-oidc": "^8.0.4"
  }
 }
--- a/libs/sso/src/lib/configuration/oauth-prod.config.ts
+++ b/libs/sso/src/lib/configuration/oauth-prod.config.ts
@@ -8,15 +8,13 @@ export const authConfig: AuthConfig = {
  redirectUri: window.location.origin,

  // The SPA's id. The SPA is registerd with this id at the auth-server
-  clientId: 'hug-isa',
+  clientId: 'isa-client',

-  responseType: 'id_token token',
-
-  oidc: true,
+  responseType: 'code',

  // set the scope for the permissions the client should request
  // The first three are defined by OIDC. The 4th is a usecase-specific one
  scope:
    // tslint:disable-next-line: max-line-length
-    'openid profile cmf_user isa-isa-webapi isa-checkout-webapi isa-cat-webapi isa-ava-webapi isa-crm-webapi isa-review-webapi isa-kpi-webapi isa-oms-webapi isa-nbo-webapi isa-print-webapi eis-service',
+    'openid profile cmf_user isa-isa-webapi isa-checkout-webapi isa-cat-webapi isa-ava-webapi isa-crm-webapi isa-review-webapi isa-kpi-webapi isa-oms-webapi isa-nbo-webapi isa-print-webapi eis-service'
 };
--- a/libs/sso/src/lib/configuration/oauth.config.ts
+++ b/libs/sso/src/lib/configuration/oauth.config.ts
@@ -8,15 +8,13 @@ export const authConfig: AuthConfig = {
  redirectUri: window.location.origin,

  // The SPA's id. The SPA is registerd with this id at the auth-server
-  clientId: 'hug-isa',
+  clientId: 'isa-client',

-  responseType: 'id_token token',
-
-  oidc: true,
+  responseType: 'code',

  // set the scope for the permissions the client should request
  // The first three are defined by OIDC. The 4th is a usecase-specific one
  scope:
    // tslint:disable-next-line: max-line-length
-    'openid profile cmf_user isa-isa-webapi isa-checkout-webapi isa-cat-webapi isa-ava-webapi isa-crm-webapi isa-review-webapi isa-kpi-webapi isa-oms-webapi isa-nbo-webapi isa-print-webapi eis-service',
+    'openid profile cmf_user isa-isa-webapi isa-checkout-webapi isa-cat-webapi isa-ava-webapi isa-crm-webapi isa-review-webapi isa-kpi-webapi isa-oms-webapi isa-nbo-webapi isa-print-webapi eis-service'
 };
--- a/libs/sso/src/lib/sso.service.ts
+++ b/libs/sso/src/lib/sso.service.ts
@@ -7,18 +7,37 @@ import { isNullOrUndefined } from 'util';
  providedIn: 'root'
 })
 export class SsoService {
-  constructor(private oauthService: OAuthService, private externalService: SsoInterface) {}
+  constructor(
+    private oauthService: OAuthService,
+    private externalService: SsoInterface
+  ) {}

  public registerAuthentication() {
    this.oauthService.configure(this.externalService.getConfigurations());
    this.oauthService.tokenValidationHandler = new JwksValidationHandler();
-    return this.oauthService.loadDiscoveryDocumentAndLogin({});
+    this.oauthService.setupAutomaticSilentRefresh();
+
+    return this.oauthService.loadDiscoveryDocumentAndTryLogin().then(_ => {
+      const hasIdToken = !!this.getIdToken();
+      const hasAccessToken = !!this.getToken();
+      const isLoggedIn = hasIdToken && hasAccessToken;
+
+      if (!isLoggedIn) {
+        this.login();
+      }
+
+      return new Promise(resolve => resolve());
+    });
  }

  public isAuthenticated(): boolean {
    return !!this.oauthService.getIdentityClaims();
  }

+  public getIdToken(): string {
+    return this.oauthService.getIdToken();
+  }
+
  public getToken(): string {
    return this.oauthService.getAccessToken();
  }
@@ -37,7 +56,7 @@ export class SsoService {
  }

  public login() {
-    this.oauthService.initImplicitFlow();
+    this.oauthService.initLoginFlow();
  }

  public logoff() {
--- a/package-lock.json
+++ b/package-lock.json
@@ -1625,9 +1625,9 @@
      "integrity": "sha1-SlKCrBZHKek2Gbz9OtFR+BfOkfU="
    },
    "angular-oauth2-oidc": {
-      "version": "5.0.2",
-      "resolved": "https://registry.npmjs.org/angular-oauth2-oidc/-/angular-oauth2-oidc-5.0.2.tgz",
-      "integrity": "sha512-jtOv4IWEjSFfBHVE4seWGWT/ZfWJ95QJ1JaFhVVGJEF64ibGuPwV3ztwTOUl98QHi/Yg4PXXDAisb31JnIbxBw==",
+      "version": "8.0.4",
+      "resolved": "https://pkgs.dev.azure.com/hugendubel/_packaging/hugendubel/npm/registry/angular-oauth2-oidc/-/angular-oauth2-oidc-8.0.4.tgz",
+      "integrity": "sha1-YEqqC5hw+yyKW6LlYuPknahubsw=",
      "requires": {
        "jsrsasign": "^8.0.12",
        "tslib": "^1.9.0"
--- a/package.json
+++ b/package.json
@@ -43,7 +43,7 @@
    "@ngxs/store": "^3.4.1",
    "@types/faker": "^4.1.5",
    "@zxing/ngx-scanner": "^1.3.0",
-    "angular-oauth2-oidc": "^5.0.2",
+    "angular-oauth2-oidc": "^8.0.4",
    "angular2-signaturepad": "^2.8.0",
    "application": "^0.1.4",
    "core-js": "^2.6.5",