You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This method starts the complete authentication flow. Use this method if you are running with a single config or want to check a single config.
261
+
**Call this once on every app load** (typically from your root component's `ngOnInit`). Without it, the library never bootstraps and the auth state stays uninitialised.
262
262
263
-
This method parses the URL when redirected back from the Security Token Service (STS) and sets all values.
263
+
Specifically, `checkAuth()` does three things:
264
264
265
-
It returns an `Observable<LoginResponse>` containing all information you need in one object.
265
+
1.**Processes the callback** if the current URL contains an auth response from the identity provider (after the redirect back from sign-in).
266
+
2.**Restores an existing session** from storage if one is present, so a page refresh keeps the user signed in.
267
+
3.**Starts silent token renewal** and the periodic token-validity check, if configured.
268
+
269
+
It returns an `Observable<LoginResponse>` describing the result:
266
270
267
271
```ts
268
272
{
@@ -275,13 +279,15 @@ It returns an `Observable<LoginResponse>` containing all information you need in
275
279
}
276
280
```
277
281
282
+
> `checkAuth()` does **not** redirect the user anywhere. To start a *new* sign-in (e.g. on a "Login" button click), call [`authorize()`](#authorizeconfigid-string-authoptions-authoptions) instead.
You can also pass a `configId` to check for as well as a URL in case you want to overwrite the current one in the address bar from the browser. This is useful for mobile or desktop cases like Electron or Cordova/Ionic.
290
+
You can also pass a `configId` to target a specific config, and a `url`to override the URL the library reads the callback from. The custom URL is mainly useful for non-browser shells like Electron or Cordova/Ionic where `window.location` doesn't reflect the callback.
> **Multiple configs:**`checkAuth()` only bootstraps a single config. If you've registered more than one via `provideAuth`, use [`checkAuthMultiple()`](#checkauthmultipleurl-string) to bootstrap all of them in one call.
302
+
303
+
> **Already signed in elsewhere?** If you want the app to detect a server-side session at the identity provider that this app hasn't observed yet (typical SSO case), use [`checkAuthIncludingServer()`](#checkauthincludingserverconfigid-string).
304
+
295
305
## checkAuthMultiple(url?: string)
296
306
297
-
This method starts the complete authentication flow for multiple configs. Use this method if you are running with multiple configs to check which one is authenticated or not.
307
+
The multi-config equivalent of [`checkAuth()`](#checkauthurl-string-configid-string). Use this once on every app load **if you've registered more than one `provideAuth` configuration** — it bootstraps all of them in a single call.
298
308
299
-
This method parses the URL when you come back from the Security Token Service (STS) and sets all values.
309
+
It does the same three things as `checkAuth()` (processes the callback, restores stored sessions, starts silent renewal), applied to every registered config.
300
310
301
-
It returns an `Observable<LoginResponse[]>`containing all information you need in the `LoginResponse` object as array so that you can see which config has which values.
311
+
It returns an `Observable<LoginResponse[]>`— one `LoginResponse` per config, in registration order — so you can see the status of each.
This method can be used to check the server for an authenticated session using the iframe silent renew if not locally authenticated. This is useful when opening an app in a new tab and you are already authenticated. This method ONLY works with iframe silent renew. It will not work with refresh tokens. With refresh tokens, you cannot do this, as consent is required.
357
+
The same local bootstrap as [`checkAuth()`](#checkauthurl-string-configid-string), **plus** an iframe silent renew against the identity provider when the user isn't already locally authenticated.
358
+
359
+
Use this when your app needs to detect a server-side session that this app hasn't observed yet — typically the SSO scenario where the user is already signed in to the IdP via another app and you want this app to pick that up automatically on first load.
360
+
361
+
> This method **only works with iframe silent renew**. It does **not** work with refresh tokens (`useRefreshToken: true`), because completing the flow there would require user consent.
This method must be called when you want to redirect to the authority and sign in the identity. This method takes a `configId` as parameter if you want to use a specific config and it also takes `authOptions` adding `customParams` or `redirectUrl` which can change every time you want to login.
482
-
It also accepts an `urlHandler` which is getting called instead of the redirect.
495
+
**Call this when the user initiates a sign-in** — typically from a "Login" button click handler, or when an auth guard determines the user needs to authenticate. It redirects the browser to the identity provider's login page.
496
+
497
+
> `authorize()` does **not** check or restore session state. That's the job of [`checkAuth()`](#checkauthurl-string-configid-string), which you call once on app load.
498
+
499
+
This method takes a `configId` if you want to target a specific config and an `authOptions` object with `customParams` or `redirectUrl` for per-call customization. It also accepts a `urlHandler` that is called instead of the redirect (useful if you need to construct the navigation yourself).
483
500
484
501
See also: [Custom parameters](custom-parameters.md).
Copy file name to clipboardExpand all lines: docs/site/angular-auth-oidc-client/docs/intro.md
+14-1Lines changed: 14 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -94,7 +94,13 @@ export class AppModule {}
94
94
95
95
## Login and Logout
96
96
97
-
Make sure the login is checked at the beginning of your app (for example in the `app.component.ts`). The `OidcSecurityService` provides everything you need to login/logout your users.
97
+
The library distinguishes between two operations that are called at very different moments. Knowing which one to call when is the most important thing to understand:
98
+
99
+
-**`checkAuth()`** — call **once on every app load** (typically from your root component's `ngOnInit`). It bootstraps the library: processes the callback if the user has just returned from the identity provider, restores any existing session from storage so a page refresh keeps the user signed in, and starts silent token renewal if configured. It does **not** redirect the user. The returned `Observable<LoginResponse>` tells you whether the user is authenticated.
100
+
101
+
-**`authorize()`** — call when the user *initiates* a login (clicks a "Sign in" button, or an auth guard demands authentication). It redirects the browser to the identity provider's login page.
// User clicked sign-in: redirect to the identity provider.
113
122
this.oidcSecurityService.authorize();
114
123
}
115
124
@@ -118,3 +127,7 @@ export class AppComponent implements OnInit {
118
127
}
119
128
}
120
129
```
130
+
131
+
> **Multiple configs:** if you registered more than one `provideAuth` configuration, use `checkAuthMultiple()` instead of `checkAuth()`. See the [Public API](documentation/public-api.md) reference for both methods.
132
+
133
+
> **Single Sign-On scenario:** if you want the app to detect an existing session at the identity provider that hasn't been observed by this app yet (e.g. the user signed in to another app on the same IdP), use `checkAuthIncludingServer()`. It performs the same local bootstrap as `checkAuth()` plus an iframe silent renew against the IdP.
0 commit comments