Skip to content

Commit 4b7e9c1

Browse files
authored
Merge pull request #2219 from damienbod/docs/clarify-checkauth-vs-authorize
docs: clarify the roles of checkAuth and authorize (closes #2205)
2 parents e54268f + eb195c9 commit 4b7e9c1

2 files changed

Lines changed: 41 additions & 11 deletions

File tree

docs/site/angular-auth-oidc-client/docs/documentation/public-api.md

Lines changed: 27 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -258,11 +258,15 @@ this.oidcSecurityService.getUserData('configId').subscribe((data)=> ... );
258258

259259
## checkAuth(url?: string, configId?: string)
260260

261-
This method starts the complete authentication flow. Use this method if you are running with a single config or want to check a single config.
261+
**Call this once on every app load** (typically from your root component's `ngOnInit`). Without it, the library never bootstraps and the auth state stays uninitialised.
262262

263-
This method parses the URL when redirected back from the Security Token Service (STS) and sets all values.
263+
Specifically, `checkAuth()` does three things:
264264

265-
It returns an `Observable<LoginResponse>` containing all information you need in one object.
265+
1. **Processes the callback** if the current URL contains an auth response from the identity provider (after the redirect back from sign-in).
266+
2. **Restores an existing session** from storage if one is present, so a page refresh keeps the user signed in.
267+
3. **Starts silent token renewal** and the periodic token-validity check, if configured.
268+
269+
It returns an `Observable<LoginResponse>` describing the result:
266270

267271
```ts
268272
{
@@ -275,13 +279,15 @@ It returns an `Observable<LoginResponse>` containing all information you need in
275279
}
276280
```
277281

282+
> `checkAuth()` does **not** redirect the user anywhere. To start a *new* sign-in (e.g. on a "Login" button click), call [`authorize()`](#authorizeconfigid-string-authoptions-authoptions) instead.
283+
278284
```ts
279285
this.oidcSecurityService.checkAuth().subscribe(({ isAuthenticated, userData, accessToken, idToken, configId }) => {
280286
// ...use data
281287
});
282288
```
283289

284-
You can also pass a `configId` to check for as well as a URL in case you want to overwrite the current one in the address bar from the browser. This is useful for mobile or desktop cases like Electron or Cordova/Ionic.
290+
You can also pass a `configId` to target a specific config, and a `url` to override the URL the library reads the callback from. The custom URL is mainly useful for non-browser shells like Electron or Cordova/Ionic where `window.location` doesn't reflect the callback.
285291

286292
```ts
287293
const url = '...';
@@ -292,13 +298,17 @@ this.oidcSecurityService.checkAuth(url, configId).subscribe(({ isAuthenticated,
292298
});
293299
```
294300

301+
> **Multiple configs:** `checkAuth()` only bootstraps a single config. If you've registered more than one via `provideAuth`, use [`checkAuthMultiple()`](#checkauthmultipleurl-string) to bootstrap all of them in one call.
302+
303+
> **Already signed in elsewhere?** If you want the app to detect a server-side session at the identity provider that this app hasn't observed yet (typical SSO case), use [`checkAuthIncludingServer()`](#checkauthincludingserverconfigid-string).
304+
295305
## checkAuthMultiple(url?: string)
296306

297-
This method starts the complete authentication flow for multiple configs. Use this method if you are running with multiple configs to check which one is authenticated or not.
307+
The multi-config equivalent of [`checkAuth()`](#checkauthurl-string-configid-string). Use this once on every app load **if you've registered more than one `provideAuth` configuration** — it bootstraps all of them in a single call.
298308

299-
This method parses the URL when you come back from the Security Token Service (STS) and sets all values.
309+
It does the same three things as `checkAuth()` (processes the callback, restores stored sessions, starts silent renewal), applied to every registered config.
300310

301-
It returns an `Observable<LoginResponse[]>` containing all information you need in the `LoginResponse` object as array so that you can see which config has which values.
311+
It returns an `Observable<LoginResponse[]>` — one `LoginResponse` per config, in registration order — so you can see the status of each.
302312

303313
```ts
304314
[
@@ -344,7 +354,11 @@ this.oidcSecurityService.isAuthenticated('configId').subscribe((isAuthenticated)
344354

345355
## checkAuthIncludingServer(configId?: string)
346356

347-
This method can be used to check the server for an authenticated session using the iframe silent renew if not locally authenticated. This is useful when opening an app in a new tab and you are already authenticated. This method ONLY works with iframe silent renew. It will not work with refresh tokens. With refresh tokens, you cannot do this, as consent is required.
357+
The same local bootstrap as [`checkAuth()`](#checkauthurl-string-configid-string), **plus** an iframe silent renew against the identity provider when the user isn't already locally authenticated.
358+
359+
Use this when your app needs to detect a server-side session that this app hasn't observed yet — typically the SSO scenario where the user is already signed in to the IdP via another app and you want this app to pick that up automatically on first load.
360+
361+
> This method **only works with iframe silent renew**. It does **not** work with refresh tokens (`useRefreshToken: true`), because completing the flow there would require user consent.
348362
349363
Returns an `Observable<LoginResponse>`.
350364

@@ -478,8 +492,11 @@ this.oidcSecurityService.getState('configId').subscribe(/*...*/);
478492

479493
## authorize(configId?: string, authOptions?: AuthOptions)
480494

481-
This method must be called when you want to redirect to the authority and sign in the identity. This method takes a `configId` as parameter if you want to use a specific config and it also takes `authOptions` adding `customParams` or `redirectUrl` which can change every time you want to login.
482-
It also accepts an `urlHandler` which is getting called instead of the redirect.
495+
**Call this when the user initiates a sign-in** — typically from a "Login" button click handler, or when an auth guard determines the user needs to authenticate. It redirects the browser to the identity provider's login page.
496+
497+
> `authorize()` does **not** check or restore session state. That's the job of [`checkAuth()`](#checkauthurl-string-configid-string), which you call once on app load.
498+
499+
This method takes a `configId` if you want to target a specific config and an `authOptions` object with `customParams` or `redirectUrl` for per-call customization. It also accepts a `urlHandler` that is called instead of the redirect (useful if you need to construct the navigation yourself).
483500

484501
See also: [Custom parameters](custom-parameters.md).
485502

docs/site/angular-auth-oidc-client/docs/intro.md

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,13 @@ export class AppModule {}
9494

9595
## Login and Logout
9696

97-
Make sure the login is checked at the beginning of your app (for example in the `app.component.ts`). The `OidcSecurityService` provides everything you need to login/logout your users.
97+
The library distinguishes between two operations that are called at very different moments. Knowing which one to call when is the most important thing to understand:
98+
99+
- **`checkAuth()`** — call **once on every app load** (typically from your root component's `ngOnInit`). It bootstraps the library: processes the callback if the user has just returned from the identity provider, restores any existing session from storage so a page refresh keeps the user signed in, and starts silent token renewal if configured. It does **not** redirect the user. The returned `Observable<LoginResponse>` tells you whether the user is authenticated.
100+
101+
- **`authorize()`** — call when the user *initiates* a login (clicks a "Sign in" button, or an auth guard demands authentication). It redirects the browser to the identity provider's login page.
102+
103+
A typical app shape:
98104

99105
```ts
100106
import { OidcSecurityService } from 'angular-auth-oidc-client';
@@ -106,10 +112,13 @@ export class AppComponent implements OnInit {
106112
private readonly oidcSecurityService = inject(OidcSecurityService);
107113

108114
ngOnInit() {
115+
// Bootstrap on every page load. Handles the IdP callback,
116+
// restores stored sessions, and starts silent renewal.
109117
this.oidcSecurityService.checkAuth().subscribe(({ isAuthenticated, userData}) => /* ... */);
110118
}
111119

112120
login() {
121+
// User clicked sign-in: redirect to the identity provider.
113122
this.oidcSecurityService.authorize();
114123
}
115124

@@ -118,3 +127,7 @@ export class AppComponent implements OnInit {
118127
}
119128
}
120129
```
130+
131+
> **Multiple configs:** if you registered more than one `provideAuth` configuration, use `checkAuthMultiple()` instead of `checkAuth()`. See the [Public API](documentation/public-api.md) reference for both methods.
132+
133+
> **Single Sign-On scenario:** if you want the app to detect an existing session at the identity provider that hasn't been observed by this app yet (e.g. the user signed in to another app on the same IdP), use `checkAuthIncludingServer()`. It performs the same local bootstrap as `checkAuth()` plus an iframe silent renew against the IdP.

0 commit comments

Comments
 (0)