matik12 / aurelia-oauth Goto Github PK

Hi there - I'm creating this issue to track a tiny pull request I'm about to do. I'm using Identity Server 4, and one of the parameters for the connect/endsession endpoint (part of the OpenID spec) is id_token_hint.

If it's missing at logout then the identity server won't be able to properly identify the current session.

Great library. Thank you.

HI matik12
Currently, this plugin supports implicit grant flow. Is there any way that I can do similar with Authorization code flow

This is not suporting cross origin request

I just tried doing a login with settings for google drive but can't get it working, I will constantly get a 401 error. After further inspection of my headers I can see that the wrong JWT token is being sent. When using the google drive rest API the JWT token will be located in a query string parameter called "access_token" and not "id_token". So I tried updating the config to look like this instead (the documentation from google says the request_type parameter should be token.

oauthTokenService.configure(
{
  name: 'token',
  urlTokenParameters: {
    idToken: 'access_token'
  }
});

But when doing this the google api will complain that the parameter nonce is included... So I removed it by changing the source code a bit but now I get an error that the JWT claims can't be properly parsed...

Anyway have anyone tried using this library for the Google Drive API? From my understanding the id_token is only used for email and some other Google API:s, maybe this library has only been tested against those APIs?

Anyway thanks for a great library I guess this would be an easy fix for @matik12 :)

More info from google here: https://developers.google.com/drive/v3/web/about-auth
and here https://developers.google.com/identity/protocols/OAuth2UserAgent

I had already raised an issue about making the Auth interceptor available for custom httpclients, not realizing that you are supporting the aurelia http client rather than the aurelia fetch client.

From reading the documentation, it sounds like there is a reason why you are not supporting the fetch client. Could you give any details as to why not? It feels like the core aurelia team is encouraging use of the fetch client..

The demo link is dead

The auth-service config method appears to be deliberately one-shot. This makes it impossible to change providers without restarting the Aurelia app. I'm looking at changing this, is there a reason I should leave it alone?

Hey, everybody!

I'm looking for some people that would be able to help me going forward with this plugin (and its maintenance) as I've a very limited time at the moment and a few other plugins to take care.
The road map and game plan can be determined together later on, I am open for any suggestions.

If you're interested, it's awesome and please get in touch with me :)

I have been using an adaptation of the library at https://github.com/MrTeyn/aurelia-adal, which is an aurelia wrapper for the adal.js library provided by Microsoft, but I have been having problems with internet explorer. That library works with all browsers except for IE. Its AuthInterceptor is exposed so that it can be used by other httpclients.

I explored using your library, but it appears that the way you are configuring the oauth interceptor. I have implemented a custom http client that inherits from the aurelia fetch client. There, I hook in the auth interceptor and then hook in my own interceptor afterward that.

How much effort would it be to make the OAuth interceptor available so that it can be used by a custom httpclient?

It seems that when you configure Aurelia router with 'push state', the redirection after login force aurelia to restart twice, cancelling the oauth token.

Router configuration
config.options.pushState = true;
config.options.root = '/';

Plugin configuration
oauthService.configure(
{
loginUrl: 'https://login.microsoftonline.com/myspecifictenant/oauth2/authorize',
logoutUrl: 'https://login.microsoftonline.com/myspecifictenant/oauth2/logout',
clientId: 'myapplicationtenantid',
alwaysRequireLogin: false,
});

The bug is fix when setting a redirect uri in the plugin configuration.

when calling OAuth 2.0 endpoints, the access token is used. Here is a snippet from Google.

Currently, the CreateToken function is returning the "idToken" from the URL token parameters and hard coding this value against the Bearer. Later the authorisation header is injected with these values.

But when calling OAuth 2.0 endpoints, I am currently getting 401 errors because the authorisation header is passing the id_token instead of the access_token. I can't see anywhere where the access_token is handled on the redirect.

In Readme file, provided example for Azure AD configuration is missing import for OAuthTokenService
import { OAuthService, OAuthTokenService } from 'aurelia-oauth';

and if so, how do you suggest doing that?

Looking over the usage examples, I got the sense that it was only possible to configure one particular identity provider, but I think it would be awesome to present to the user a list of (OAUTH2-compliant) options.

When a user logs out of my application, the only thing that is needed is to clear the token and refresh the application by navigating back to the start url. Currently the logout() method also appends query string parameters, expecting the server to do something with the redirectUri, but in my case, I don't want to log the user out of the STS (Azure AD) ... only my application.

Is there a way that we can configure aurelia-oauth to make setting the queyr string parameters of the redirectUrl optional for this use case?

public logout = (): void => {
        var redirectUrl = `${this.config.logoutUrl}?` +
            `${this.config.logoutRedirectParameterName}=${encodeURIComponent(this.config.redirectUri)}`;

        window.location.href = redirectUrl;
        this.oAuthTokenService.removeToken();
    };   

Facebook tokens are not base64 encoded JWT.

You decode them like this:

GET graph.facebook.com/debug_token?
     input_token={token-to-inspect}
     &access_token={app-token-or-admin-token}

The problem with that is it's asynchronous. I tried rewriting the jwtTokenService so that createToken returns immediately with a token containing a null value for getJwtClaims and getJwtClaims fills closes over the IOAuthTokenData object and fills in the missing values as soon as they are ready. But this is not enough, whatever is using the claims needs to wait for the values to be provided and I have yet to figure out where to make that change.

After following the directions the project I'm working with throws the following error: TS7016: Could not find a declaration file for module 'aurelia-oauth'. I'm running this on Asp.Net Core with webpack, does webpack need to be configured to understand the plugin in some way?