angular-auth-oidc-client
Version:
An OpenID Connect Code Flow with PKCE,Implicit Flow client for Angular
1,295 lines (1,277 loc) • 176 kB
JavaScript
(function (global, factory) {
typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports, require('@angular/common'), require('jsrsasign'), require('@angular/common/http'), require('@angular/router'), require('rxjs'), require('@angular/core'), require('rxjs/operators')) :
typeof define === 'function' && define.amd ? define('angular-auth-oidc-client', ['exports', '@angular/common', 'jsrsasign', '@angular/common/http', '@angular/router', 'rxjs', '@angular/core', 'rxjs/operators'], factory) :
(factory((global['angular-auth-oidc-client'] = {}),global.ng.common,global.jsrsasign,global.ng.common.http,global.ng.router,global.rxjs,global.ng.core,global.rxjs.operators));
}(this, (function (exports,common,jsrsasign,http,router,rxjs,i0,operators) { 'use strict';
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
var AuthorizationResult = /** @class */ (function () {
function AuthorizationResult(authorizationState, validationResult) {
this.authorizationState = authorizationState;
this.validationResult = validationResult;
}
return AuthorizationResult;
}());
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
/** @enum {string} */
var AuthorizationState = {
authorized: 'authorized',
forbidden: 'forbidden',
unauthorized: 'unauthorized',
};
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
var JwtKeys = /** @class */ (function () {
function JwtKeys() {
this.keys = [];
}
return JwtKeys;
}());
var JwtKey = /** @class */ (function () {
function JwtKey() {
this.kty = '';
this.use = '';
this.kid = '';
this.x5t = '';
this.e = '';
this.n = '';
this.x5c = [];
}
return JwtKey;
}());
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
/** @enum {string} */
var ValidationResult = {
NotSet: 'NotSet',
StatesDoNotMatch: 'StatesDoNotMatch',
SignatureFailed: 'SignatureFailed',
IncorrectNonce: 'IncorrectNonce',
RequiredPropertyMissing: 'RequiredPropertyMissing',
MaxOffsetExpired: 'MaxOffsetExpired',
IssDoesNotMatchIssuer: 'IssDoesNotMatchIssuer',
NoAuthWellKnownEndPoints: 'NoAuthWellKnownEndPoints',
IncorrectAud: 'IncorrectAud',
TokenExpired: 'TokenExpired',
IncorrectAtHash: 'IncorrectAtHash',
Ok: 'Ok',
LoginRequired: 'LoginRequired',
SecureTokenServerError: 'SecureTokenServerError',
};
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
var ValidateStateResult = /** @class */ (function () {
function ValidateStateResult(access_token, id_token, authResponseIsValid, decoded_id_token, state) {
if (access_token === void 0) {
access_token = '';
}
if (id_token === void 0) {
id_token = '';
}
if (authResponseIsValid === void 0) {
authResponseIsValid = false;
}
if (decoded_id_token === void 0) {
decoded_id_token = {};
}
if (state === void 0) {
state = ValidationResult.NotSet;
}
this.access_token = access_token;
this.id_token = id_token;
this.authResponseIsValid = authResponseIsValid;
this.decoded_id_token = decoded_id_token;
this.state = state;
}
return ValidateStateResult;
}());
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
var OidcDataService = /** @class */ (function () {
function OidcDataService(httpClient) {
this.httpClient = httpClient;
}
/**
* @template T
* @param {?} url
* @return {?}
*/
OidcDataService.prototype.getWellknownEndpoints = /**
* @template T
* @param {?} url
* @return {?}
*/
function (url) {
/** @type {?} */
var headers = new http.HttpHeaders();
headers = headers.set('Accept', 'application/json');
return this.httpClient.get(url, {
headers: headers,
});
};
/**
* @template T
* @param {?} url
* @param {?} token
* @return {?}
*/
OidcDataService.prototype.getIdentityUserData = /**
* @template T
* @param {?} url
* @param {?} token
* @return {?}
*/
function (url, token) {
/** @type {?} */
var headers = new http.HttpHeaders();
headers = headers.set('Accept', 'application/json');
headers = headers.set('Authorization', 'Bearer ' + decodeURIComponent(token));
return this.httpClient.get(url, {
headers: headers,
});
};
/**
* @template T
* @param {?} url
* @return {?}
*/
OidcDataService.prototype.get = /**
* @template T
* @param {?} url
* @return {?}
*/
function (url) {
/** @type {?} */
var headers = new http.HttpHeaders();
headers = headers.set('Accept', 'application/json');
return this.httpClient.get(url, {
headers: headers,
});
};
OidcDataService.decorators = [
{ type: i0.Injectable }
];
/** @nocollapse */
OidcDataService.ctorParameters = function () {
return [
{ type: http.HttpClient }
];
};
return OidcDataService;
}());
/*! *****************************************************************************
Copyright (c) Microsoft Corporation. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use
this file except in compliance with the License. You may obtain a copy of the
License at http://www.apache.org/licenses/LICENSE-2.0
THIS CODE IS PROVIDED ON AN *AS IS* BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED
WARRANTIES OR CONDITIONS OF TITLE, FITNESS FOR A PARTICULAR PURPOSE,
MERCHANTABLITY OR NON-INFRINGEMENT.
See the Apache Version 2.0 License for specific language governing permissions
and limitations under the License.
***************************************************************************** */
var __assign = function () {
__assign = Object.assign || function __assign(t) {
for (var s, i = 1, n = arguments.length; i < n; i++) {
s = arguments[i];
for (var p in s)
if (Object.prototype.hasOwnProperty.call(s, p))
t[p] = s[p];
}
return t;
};
return __assign.apply(this, arguments);
};
function __values(o) {
var m = typeof Symbol === "function" && o[Symbol.iterator], i = 0;
if (m)
return m.call(o);
return {
next: function () {
if (o && i >= o.length)
o = void 0;
return { value: o && o[i++], done: !o };
}
};
}
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
var PlatformProvider = /** @class */ (function () {
function PlatformProvider(platformId) {
this.platformId = platformId;
}
Object.defineProperty(PlatformProvider.prototype, "isBrowser", {
get: /**
* @return {?}
*/ function () {
return common.isPlatformBrowser(this.platformId);
},
enumerable: true,
configurable: true
});
PlatformProvider.decorators = [
{ type: i0.Injectable, args: [{ providedIn: 'root' },] }
];
/** @nocollapse */
PlatformProvider.ctorParameters = function () {
return [
{ type: Object, decorators: [{ type: i0.Inject, args: [i0.PLATFORM_ID,] }] }
];
};
/** @nocollapse */ PlatformProvider.ngInjectableDef = i0.defineInjectable({ factory: function PlatformProvider_Factory() { return new PlatformProvider(i0.inject(i0.PLATFORM_ID)); }, token: PlatformProvider, providedIn: "root" });
return PlatformProvider;
}());
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
var ConfigurationProvider = /** @class */ (function () {
function ConfigurationProvider(platformProvider) {
this.platformProvider = platformProvider;
this.DEFAULT_CONFIG = {
stsServer: 'https://please_set',
redirect_url: 'https://please_set',
client_id: 'please_set',
response_type: 'code',
scope: 'openid email profile',
hd_param: '',
post_logout_redirect_uri: 'https://please_set',
start_checksession: false,
silent_renew: false,
silent_renew_url: 'https://please_set',
silent_renew_offset_in_seconds: 0,
post_login_route: '/',
forbidden_route: '/forbidden',
unauthorized_route: '/unauthorized',
auto_userinfo: true,
auto_clean_state_after_authentication: true,
trigger_authorization_result_event: false,
log_console_warning_active: true,
log_console_debug_active: false,
iss_validation_off: false,
history_cleanup_off: false,
max_id_token_iat_offset_allowed_in_seconds: 3,
disable_iat_offset_validation: false,
storage: typeof Storage !== 'undefined' ? sessionStorage : null,
};
this.INITIAL_AUTHWELLKNOWN = {
issuer: '',
jwks_uri: '',
authorization_endpoint: '',
token_endpoint: '',
userinfo_endpoint: '',
end_session_endpoint: '',
check_session_iframe: '',
revocation_endpoint: '',
introspection_endpoint: '',
};
this.mergedOpenIdConfiguration = this.DEFAULT_CONFIG;
this.authWellKnownEndpoints = this.INITIAL_AUTHWELLKNOWN;
this.onConfigurationChangeInternal = new rxjs.Subject();
}
Object.defineProperty(ConfigurationProvider.prototype, "openIDConfiguration", {
get: /**
* @return {?}
*/ function () {
return this.mergedOpenIdConfiguration;
},
enumerable: true,
configurable: true
});
Object.defineProperty(ConfigurationProvider.prototype, "wellKnownEndpoints", {
get: /**
* @return {?}
*/ function () {
return this.authWellKnownEndpoints;
},
enumerable: true,
configurable: true
});
Object.defineProperty(ConfigurationProvider.prototype, "onConfigurationChange", {
get: /**
* @return {?}
*/ function () {
return this.onConfigurationChangeInternal.asObservable();
},
enumerable: true,
configurable: true
});
/**
* @param {?} passedOpenIfConfiguration
* @param {?} passedAuthWellKnownEndpoints
* @return {?}
*/
ConfigurationProvider.prototype.setup = /**
* @param {?} passedOpenIfConfiguration
* @param {?} passedAuthWellKnownEndpoints
* @return {?}
*/
function (passedOpenIfConfiguration, passedAuthWellKnownEndpoints) {
this.mergedOpenIdConfiguration = __assign({}, this.mergedOpenIdConfiguration, passedOpenIfConfiguration);
this.setSpecialCases(this.mergedOpenIdConfiguration);
this.authWellKnownEndpoints = __assign({}, passedAuthWellKnownEndpoints);
this.onConfigurationChangeInternal.next(__assign({}, this.mergedOpenIdConfiguration));
};
/**
* @private
* @param {?} currentConfig
* @return {?}
*/
ConfigurationProvider.prototype.setSpecialCases = /**
* @private
* @param {?} currentConfig
* @return {?}
*/
function (currentConfig) {
if (!this.platformProvider.isBrowser) {
currentConfig.start_checksession = false;
currentConfig.silent_renew = false;
}
};
ConfigurationProvider.decorators = [
{ type: i0.Injectable, args: [{ providedIn: 'root' },] }
];
/** @nocollapse */
ConfigurationProvider.ctorParameters = function () {
return [
{ type: PlatformProvider }
];
};
/** @nocollapse */ ConfigurationProvider.ngInjectableDef = i0.defineInjectable({ factory: function ConfigurationProvider_Factory() { return new ConfigurationProvider(i0.inject(PlatformProvider)); }, token: ConfigurationProvider, providedIn: "root" });
return ConfigurationProvider;
}());
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
var LoggerService = /** @class */ (function () {
function LoggerService(configurationProvider) {
this.configurationProvider = configurationProvider;
}
/**
* @param {?} message
* @return {?}
*/
LoggerService.prototype.logError = /**
* @param {?} message
* @return {?}
*/
function (message) {
console.error(message);
};
/**
* @param {?} message
* @return {?}
*/
LoggerService.prototype.logWarning = /**
* @param {?} message
* @return {?}
*/
function (message) {
if (this.configurationProvider.openIDConfiguration.log_console_warning_active) {
console.warn(message);
}
};
/**
* @param {?} message
* @return {?}
*/
LoggerService.prototype.logDebug = /**
* @param {?} message
* @return {?}
*/
function (message) {
if (this.configurationProvider.openIDConfiguration.log_console_debug_active) {
console.log(message);
}
};
LoggerService.decorators = [
{ type: i0.Injectable }
];
/** @nocollapse */
LoggerService.ctorParameters = function () {
return [
{ type: ConfigurationProvider }
];
};
return LoggerService;
}());
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
var IFrameService = /** @class */ (function () {
function IFrameService(loggerService) {
this.loggerService = loggerService;
}
/**
* @param {?} identifier
* @return {?}
*/
IFrameService.prototype.getExistingIFrame = /**
* @param {?} identifier
* @return {?}
*/
function (identifier) {
/** @type {?} */
var iFrameOnParent = this.getIFrameFromParentWindow(identifier);
if (iFrameOnParent) {
return iFrameOnParent;
}
return this.getIFrameFromWindow(identifier);
};
/**
* @param {?} identifier
* @return {?}
*/
IFrameService.prototype.addIFrameToWindowBody = /**
* @param {?} identifier
* @return {?}
*/
function (identifier) {
/** @type {?} */
var sessionIframe = window.document.createElement('iframe');
sessionIframe.id = identifier;
this.loggerService.logDebug(sessionIframe);
sessionIframe.style.display = 'none';
window.document.body.appendChild(sessionIframe);
return sessionIframe;
};
/**
* @private
* @param {?} identifier
* @return {?}
*/
IFrameService.prototype.getIFrameFromParentWindow = /**
* @private
* @param {?} identifier
* @return {?}
*/
function (identifier) {
try {
return window.parent.document.getElementById(identifier);
}
catch (e) {
return null;
}
};
/**
* @private
* @param {?} identifier
* @return {?}
*/
IFrameService.prototype.getIFrameFromWindow = /**
* @private
* @param {?} identifier
* @return {?}
*/
function (identifier) {
return window.document.getElementById(identifier);
};
IFrameService.decorators = [
{ type: i0.Injectable }
];
/** @nocollapse */
IFrameService.ctorParameters = function () {
return [
{ type: LoggerService }
];
};
return IFrameService;
}());
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
var EqualityHelperService = /** @class */ (function () {
function EqualityHelperService() {
}
/**
* @param {?} value1
* @param {?} value2
* @return {?}
*/
EqualityHelperService.prototype.areEqual = /**
* @param {?} value1
* @param {?} value2
* @return {?}
*/
function (value1, value2) {
if (!value1 || !value2) {
return false;
}
if (this.bothValuesAreArrays(value1, value2)) {
return this.arraysEqual(( /** @type {?} */(value1)), ( /** @type {?} */(value2)));
}
if (this.bothValuesAreStrings(value1, value2)) {
return value1 === value2;
}
if (this.bothValuesAreObjects(value1, value2)) {
return JSON.stringify(value1).toLowerCase() === JSON.stringify(value2).toLowerCase();
}
if (this.oneValueIsStringAndTheOtherIsArray(value1, value2)) {
if (Array.isArray(value1) && this.valueIsString(value2)) {
return value1[0] === value2;
}
if (Array.isArray(value2) && this.valueIsString(value1)) {
return value2[0] === value1;
}
}
};
/**
* @private
* @param {?} value1
* @param {?} value2
* @return {?}
*/
EqualityHelperService.prototype.oneValueIsStringAndTheOtherIsArray = /**
* @private
* @param {?} value1
* @param {?} value2
* @return {?}
*/
function (value1, value2) {
return (Array.isArray(value1) && this.valueIsString(value2)) || (Array.isArray(value2) && this.valueIsString(value1));
};
/**
* @private
* @param {?} value1
* @param {?} value2
* @return {?}
*/
EqualityHelperService.prototype.bothValuesAreObjects = /**
* @private
* @param {?} value1
* @param {?} value2
* @return {?}
*/
function (value1, value2) {
return this.valueIsObject(value1) && this.valueIsObject(value2);
};
/**
* @private
* @param {?} value1
* @param {?} value2
* @return {?}
*/
EqualityHelperService.prototype.bothValuesAreStrings = /**
* @private
* @param {?} value1
* @param {?} value2
* @return {?}
*/
function (value1, value2) {
return this.valueIsString(value1) && this.valueIsString(value2);
};
/**
* @private
* @param {?} value1
* @param {?} value2
* @return {?}
*/
EqualityHelperService.prototype.bothValuesAreArrays = /**
* @private
* @param {?} value1
* @param {?} value2
* @return {?}
*/
function (value1, value2) {
return Array.isArray(value1) && Array.isArray(value2);
};
/**
* @private
* @param {?} value
* @return {?}
*/
EqualityHelperService.prototype.valueIsString = /**
* @private
* @param {?} value
* @return {?}
*/
function (value) {
return typeof value === 'string' || value instanceof String;
};
/**
* @private
* @param {?} value
* @return {?}
*/
EqualityHelperService.prototype.valueIsObject = /**
* @private
* @param {?} value
* @return {?}
*/
function (value) {
return typeof value === 'object';
};
/**
* @private
* @param {?} arr1
* @param {?} arr2
* @return {?}
*/
EqualityHelperService.prototype.arraysEqual = /**
* @private
* @param {?} arr1
* @param {?} arr2
* @return {?}
*/
function (arr1, arr2) {
if (arr1.length !== arr2.length) {
return false;
}
for (var i = arr1.length; i--;) {
if (arr1[i] !== arr2[i]) {
return false;
}
}
return true;
};
EqualityHelperService.decorators = [
{ type: i0.Injectable }
];
return EqualityHelperService;
}());
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
var TokenHelperService = /** @class */ (function () {
function TokenHelperService(loggerService) {
this.loggerService = loggerService;
this.PARTS_OF_TOKEN = 3;
}
/**
* @param {?} dataIdToken
* @return {?}
*/
TokenHelperService.prototype.getTokenExpirationDate = /**
* @param {?} dataIdToken
* @return {?}
*/
function (dataIdToken) {
if (!dataIdToken.hasOwnProperty('exp')) {
return new Date();
}
/** @type {?} */
var date = new Date(0);
date.setUTCSeconds(dataIdToken.exp);
return date;
};
/**
* @param {?} token
* @param {?} encoded
* @return {?}
*/
TokenHelperService.prototype.getHeaderFromToken = /**
* @param {?} token
* @param {?} encoded
* @return {?}
*/
function (token, encoded) {
if (!this.tokenIsValid(token)) {
return {};
}
return this.getPartOfToken(token, 0, encoded);
};
/**
* @param {?} token
* @param {?} encoded
* @return {?}
*/
TokenHelperService.prototype.getPayloadFromToken = /**
* @param {?} token
* @param {?} encoded
* @return {?}
*/
function (token, encoded) {
if (!this.tokenIsValid(token)) {
return {};
}
return this.getPartOfToken(token, 1, encoded);
};
/**
* @param {?} token
* @param {?} encoded
* @return {?}
*/
TokenHelperService.prototype.getSignatureFromToken = /**
* @param {?} token
* @param {?} encoded
* @return {?}
*/
function (token, encoded) {
if (!this.tokenIsValid(token)) {
return {};
}
return this.getPartOfToken(token, 2, encoded);
};
/**
* @private
* @param {?} token
* @param {?} index
* @param {?} encoded
* @return {?}
*/
TokenHelperService.prototype.getPartOfToken = /**
* @private
* @param {?} token
* @param {?} index
* @param {?} encoded
* @return {?}
*/
function (token, index, encoded) {
/** @type {?} */
var partOfToken = this.extractPartOfToken(token, index);
if (encoded) {
return partOfToken;
}
/** @type {?} */
var result = this.urlBase64Decode(partOfToken);
return JSON.parse(result);
};
/**
* @private
* @param {?} str
* @return {?}
*/
TokenHelperService.prototype.urlBase64Decode = /**
* @private
* @param {?} str
* @return {?}
*/
function (str) {
/** @type {?} */
var output = str.replace(/-/g, '+').replace(/_/g, '/');
switch (output.length % 4) {
case 0:
break;
case 2:
output += '==';
break;
case 3:
output += '=';
break;
default:
throw Error('Illegal base64url string!');
}
/** @type {?} */
var decoded = typeof window !== 'undefined' ? window.atob(output) : new Buffer(output, 'base64').toString('binary');
try {
// Going backwards: from bytestream, to percent-encoding, to original string.
return decodeURIComponent(decoded.split('')
.map(( /**
* @param {?} c
* @return {?}
*/function (c) { return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2); }))
.join(''));
}
catch (err) {
return decoded;
}
};
/**
* @private
* @param {?} token
* @return {?}
*/
TokenHelperService.prototype.tokenIsValid = /**
* @private
* @param {?} token
* @return {?}
*/
function (token) {
if (!token) {
this.loggerService.logError("token '" + token + "' is not valid --> token falsy");
return false;
}
if (!(( /** @type {?} */(token))).includes('.')) {
this.loggerService.logError("token '" + token + "' is not valid --> no dots included");
return false;
}
/** @type {?} */
var parts = token.split('.');
if (parts.length !== this.PARTS_OF_TOKEN) {
this.loggerService.logError("token '" + token + "' is not valid --> token has t have exact three dots");
return false;
}
return true;
};
/**
* @private
* @param {?} token
* @param {?} index
* @return {?}
*/
TokenHelperService.prototype.extractPartOfToken = /**
* @private
* @param {?} token
* @param {?} index
* @return {?}
*/
function (token, index) {
return token.split('.')[index];
};
TokenHelperService.decorators = [
{ type: i0.Injectable }
];
/** @nocollapse */
TokenHelperService.ctorParameters = function () {
return [
{ type: LoggerService }
];
};
return TokenHelperService;
}());
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
/**
* Implement this class-interface to create a custom storage.
* @abstract
*/
var OidcSecurityStorage = /** @class */ (function () {
function OidcSecurityStorage() {
}
OidcSecurityStorage.decorators = [
{ type: i0.Injectable }
];
return OidcSecurityStorage;
}());
var BrowserStorage = /** @class */ (function () {
function BrowserStorage(configProvider) {
this.configProvider = configProvider;
this.hasStorage = typeof Storage !== 'undefined';
}
/**
* @param {?} key
* @return {?}
*/
BrowserStorage.prototype.read = /**
* @param {?} key
* @return {?}
*/
function (key) {
if (this.hasStorage) {
return JSON.parse(this.configProvider.openIDConfiguration.storage.getItem(key + '_' + this.configProvider.openIDConfiguration.client_id));
}
return;
};
/**
* @param {?} key
* @param {?} value
* @return {?}
*/
BrowserStorage.prototype.write = /**
* @param {?} key
* @param {?} value
* @return {?}
*/
function (key, value) {
if (this.hasStorage) {
value = value === undefined ? null : value;
this.configProvider.openIDConfiguration.storage.setItem(key + '_' + this.configProvider.openIDConfiguration.client_id, JSON.stringify(value));
}
};
BrowserStorage.decorators = [
{ type: i0.Injectable }
];
/** @nocollapse */
BrowserStorage.ctorParameters = function () {
return [
{ type: ConfigurationProvider }
];
};
return BrowserStorage;
}());
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
var OidcSecurityCommon = /** @class */ (function () {
function OidcSecurityCommon(oidcSecurityStorage) {
this.oidcSecurityStorage = oidcSecurityStorage;
this.storage_auth_result = 'authorizationResult';
this.storage_access_token = 'authorizationData';
this.storage_id_token = 'authorizationDataIdToken';
this.storage_is_authorized = '_isAuthorized';
this.storage_user_data = 'userData';
this.storage_auth_nonce = 'authNonce';
this.storage_code_verifier = 'code_verifier';
this.storage_auth_state_control = 'authStateControl';
this.storage_session_state = 'session_state';
this.storage_silent_renew_running = 'storage_silent_renew_running';
this.storage_custom_request_params = 'storage_custom_request_params';
}
Object.defineProperty(OidcSecurityCommon.prototype, "authResult", {
get: /**
* @return {?}
*/ function () {
return this.retrieve(this.storage_auth_result);
},
set: /**
* @param {?} value
* @return {?}
*/ function (value) {
this.store(this.storage_auth_result, value);
},
enumerable: true,
configurable: true
});
Object.defineProperty(OidcSecurityCommon.prototype, "accessToken", {
get: /**
* @return {?}
*/ function () {
return this.retrieve(this.storage_access_token) || '';
},
set: /**
* @param {?} value
* @return {?}
*/ function (value) {
this.store(this.storage_access_token, value);
},
enumerable: true,
configurable: true
});
Object.defineProperty(OidcSecurityCommon.prototype, "idToken", {
get: /**
* @return {?}
*/ function () {
return this.retrieve(this.storage_id_token) || '';
},
set: /**
* @param {?} value
* @return {?}
*/ function (value) {
this.store(this.storage_id_token, value);
},
enumerable: true,
configurable: true
});
Object.defineProperty(OidcSecurityCommon.prototype, "isAuthorized", {
get: /**
* @return {?}
*/ function () {
return this.retrieve(this.storage_is_authorized);
},
set: /**
* @param {?} value
* @return {?}
*/ function (value) {
this.store(this.storage_is_authorized, value);
},
enumerable: true,
configurable: true
});
Object.defineProperty(OidcSecurityCommon.prototype, "userData", {
get: /**
* @return {?}
*/ function () {
return this.retrieve(this.storage_user_data);
},
set: /**
* @param {?} value
* @return {?}
*/ function (value) {
this.store(this.storage_user_data, value);
},
enumerable: true,
configurable: true
});
Object.defineProperty(OidcSecurityCommon.prototype, "authNonce", {
get: /**
* @return {?}
*/ function () {
return this.retrieve(this.storage_auth_nonce) || '';
},
set: /**
* @param {?} value
* @return {?}
*/ function (value) {
this.store(this.storage_auth_nonce, value);
},
enumerable: true,
configurable: true
});
Object.defineProperty(OidcSecurityCommon.prototype, "code_verifier", {
get: /**
* @return {?}
*/ function () {
return this.retrieve(this.storage_code_verifier) || '';
},
set: /**
* @param {?} value
* @return {?}
*/ function (value) {
this.store(this.storage_code_verifier, value);
},
enumerable: true,
configurable: true
});
Object.defineProperty(OidcSecurityCommon.prototype, "authStateControl", {
get: /**
* @return {?}
*/ function () {
return this.retrieve(this.storage_auth_state_control) || '';
},
set: /**
* @param {?} value
* @return {?}
*/ function (value) {
this.store(this.storage_auth_state_control, value);
},
enumerable: true,
configurable: true
});
Object.defineProperty(OidcSecurityCommon.prototype, "sessionState", {
get: /**
* @return {?}
*/ function () {
return this.retrieve(this.storage_session_state);
},
set: /**
* @param {?} value
* @return {?}
*/ function (value) {
this.store(this.storage_session_state, value);
},
enumerable: true,
configurable: true
});
Object.defineProperty(OidcSecurityCommon.prototype, "silentRenewRunning", {
get: /**
* @return {?}
*/ function () {
return this.retrieve(this.storage_silent_renew_running) || '';
},
set: /**
* @param {?} value
* @return {?}
*/ function (value) {
this.store(this.storage_silent_renew_running, value);
},
enumerable: true,
configurable: true
});
Object.defineProperty(OidcSecurityCommon.prototype, "customRequestParams", {
get: /**
* @return {?}
*/ function () {
return this.retrieve(this.storage_custom_request_params);
},
set: /**
* @param {?} value
* @return {?}
*/ function (value) {
this.store(this.storage_custom_request_params, value);
},
enumerable: true,
configurable: true
});
/**
* @private
* @param {?} key
* @return {?}
*/
OidcSecurityCommon.prototype.retrieve = /**
* @private
* @param {?} key
* @return {?}
*/
function (key) {
return this.oidcSecurityStorage.read(key);
};
/**
* @private
* @param {?} key
* @param {?} value
* @return {?}
*/
OidcSecurityCommon.prototype.store = /**
* @private
* @param {?} key
* @param {?} value
* @return {?}
*/
function (key, value) {
this.oidcSecurityStorage.write(key, value);
};
/**
* @param {?} isRenewProcess
* @return {?}
*/
OidcSecurityCommon.prototype.resetStorageData = /**
* @param {?} isRenewProcess
* @return {?}
*/
function (isRenewProcess) {
if (!isRenewProcess) {
this.store(this.storage_auth_result, '');
this.store(this.storage_session_state, '');
this.store(this.storage_silent_renew_running, '');
this.store(this.storage_is_authorized, false);
this.store(this.storage_access_token, '');
this.store(this.storage_id_token, '');
this.store(this.storage_user_data, '');
this.store(this.storage_code_verifier, '');
}
};
/**
* @return {?}
*/
OidcSecurityCommon.prototype.getAccessToken = /**
* @return {?}
*/
function () {
return this.retrieve(this.storage_access_token);
};
/**
* @return {?}
*/
OidcSecurityCommon.prototype.getIdToken = /**
* @return {?}
*/
function () {
return this.retrieve(this.storage_id_token);
};
OidcSecurityCommon.decorators = [
{ type: i0.Injectable }
];
/** @nocollapse */
OidcSecurityCommon.ctorParameters = function () {
return [
{ type: OidcSecurityStorage }
];
};
return OidcSecurityCommon;
}());
/**
* @fileoverview added by tsickle
* @suppress {checkTypes,extraRequire,missingOverride,missingReturn,unusedPrivateMembers,uselessCode} checked by tsc
*/
// http://openid.net/specs/openid-connect-implicit-1_0.html
// id_token
// id_token C1: The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery)
// MUST exactly match the value of the iss (issuer) Claim.
//
// id_token C2: The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified
// by the iss (issuer) Claim as an audience.The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience,
// or if it contains additional audiences not trusted by the Client.
//
// id_token C3: If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
//
// id_token C4: If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
//
// id_token C5: The Client MUST validate the signature of the ID Token according to JWS [JWS] using the algorithm specified in the
// alg Header Parameter of the JOSE Header.The Client MUST use the keys provided by the Issuer.
//
// id_token C6: The alg value SHOULD be RS256. Validation of tokens using other signing algorithms is described in the OpenID Connect Core 1.0
// [OpenID.Core] specification.
//
// id_token C7: The current time MUST be before the time represented by the exp Claim (possibly allowing for some small leeway to account
// for clock skew).
//
// id_token C8: The iat Claim can be used to reject tokens that were issued too far away from the current time,
// limiting the amount of time that nonces need to be stored to prevent attacks.The acceptable range is Client specific.
//
// id_token C9: The value of the nonce Claim MUST be checked to verify that it is the same value as the one that was sent
// in the Authentication Request.The Client SHOULD check the nonce value for replay attacks.The precise method for detecting replay attacks
// is Client specific.
//
// id_token C10: If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate.
// The meaning and processing of acr Claim Values is out of scope for this document.
//
// id_token C11: When a max_age request is made, the Client SHOULD check the auth_time Claim value and request re- authentication
// if it determines too much time has elapsed since the last End- User authentication.
// Access Token Validation
// access_token C1: Hash the octets of the ASCII representation of the access_token with the hash algorithm specified in JWA[JWA]
// for the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, the hash algorithm used is SHA-256.
// access_token C2: Take the left- most half of the hash and base64url- encode it.
// access_token C3: The value of at_hash in the ID Token MUST match the value produced in the previous step if at_hash is present in the ID Token.
var OidcSecurityValidation = /** @class */ (function () {
function OidcSecurityValidation(arrayHelperService, tokenHelperService, loggerService) {
this.arrayHelperService = arrayHelperService;
this.tokenHelperService = tokenHelperService;
this.loggerService = loggerService;
}
// id_token C7: The current time MUST be before the time represented by the exp Claim (possibly allowing for some small leeway to account for clock skew).
// id_token C7: The current time MUST be before the time represented by the exp Claim (possibly allowing for some small leeway to account for clock skew).
/**
* @param {?} token
* @param {?=} offsetSeconds
* @return {?}
*/
OidcSecurityValidation.prototype.isTokenExpired =
// id_token C7: The current time MUST be before the time represented by the exp Claim (possibly allowing for some small leeway to account for clock skew).
/**
* @param {?} token
* @param {?=} offsetSeconds
* @return {?}
*/
function (token, offsetSeconds) {
/** @type {?} */
var decoded;
decoded = this.tokenHelperService.getPayloadFromToken(token, false);
return !this.validate_id_token_exp_not_expired(decoded, offsetSeconds);
};
// id_token C7: The current time MUST be before the time represented by the exp Claim (possibly allowing for some small leeway to account for clock skew).
// id_token C7: The current time MUST be before the time represented by the exp Claim (possibly allowing for some small leeway to account for clock skew).
/**
* @param {?} decoded_id_token
* @param {?=} offsetSeconds
* @return {?}
*/
OidcSecurityValidation.prototype.validate_id_token_exp_not_expired =
// id_token C7: The current time MUST be before the time represented by the exp Claim (possibly allowing for some small leeway to account for clock skew).
/**
* @param {?} decoded_id_token
* @param {?=} offsetSeconds
* @return {?}
*/
function (decoded_id_token, offsetSeconds) {
/** @type {?} */
var tokenExpirationDate = this.tokenHelperService.getTokenExpirationDate(decoded_id_token);
offsetSeconds = offsetSeconds || 0;
if (!tokenExpirationDate) {
return false;
}
/** @type {?} */
var tokenExpirationValue = tokenExpirationDate.valueOf();
/** @type {?} */
var nowWithOffset = new Date().valueOf() + offsetSeconds * 1000;
/** @type {?} */
var tokenNotExpired = tokenExpirationValue > nowWithOffset;
this.loggerService.logDebug("Token not expired?: " + tokenExpirationValue + " > " + nowWithOffset + " (" + tokenNotExpired + ")");
// Token not expired?
return tokenNotExpired;
};
// iss
// REQUIRED. Issuer Identifier for the Issuer of the response.The iss value is a case-sensitive URL using the https scheme that contains scheme, host,
// and optionally, port number and path components and no query or fragment components.
//
// sub
// REQUIRED. Subject Identifier.Locally unique and never reassigned identifier within the Issuer for the End- User,
// which is intended to be consumed by the Client, e.g., 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4.
// It MUST NOT exceed 255 ASCII characters in length.The sub value is a case-sensitive string.
//
// aud
// REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.
// It MAY also contain identifiers for other audiences.In the general case, the aud value is an array of case-sensitive strings.
// In the common special case when there is one audience, the aud value MAY be a single case-sensitive str