Skip to content

Commit 6de0dbd

Browse files
authored
Merge pull request #2187 from ThorstenKunz/offline-access-warning-configurable
Make offline_access refresh-token warning configurable
2 parents 0112232 + dfa3b70 commit 6de0dbd

5 files changed

Lines changed: 76 additions & 3 deletions

File tree

README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,12 @@ import { AuthModule, LogLevel } from 'angular-auth-oidc-client';
109109
export class AppModule {}
110110
```
111111

112+
When using `silentRenew` together with `useRefreshToken`, requesting the
113+
`offline_access` scope is common and remains the default recommendation.
114+
Some providers support refresh token renewal in the browser without
115+
`offline_access`. In those cases, you can suppress the configuration warning
116+
with `disableRefreshTokenOfflineAccessScopeWarning: true`.
117+
112118
And call the method `checkAuth()` from your `app.component.ts`. The method `checkAuth()` is needed to process the redirect from your Security Token Service and set the correct states. This method must be used to ensure the correct functioning of the library.
113119

114120
```ts

projects/angular-auth-oidc-client/src/lib/config/default-config.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ export const DEFAULT_CONFIG: OpenIdConfiguration = {
1818
silentRenewTimeoutInSeconds: 20,
1919
renewTimeBeforeTokenExpiresInSeconds: 0,
2020
useRefreshToken: false,
21+
disableRefreshTokenOfflineAccessScopeWarning: false,
2122
usePushedAuthorisationRequests: false,
2223
ignoreNonceAfterRefresh: false,
2324
postLoginRoute: '/',

projects/angular-auth-oidc-client/src/lib/config/openid-configuration.ts

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,12 @@ export interface OpenIdConfiguration {
9191
* Default value is false.
9292
*/
9393
useRefreshToken?: boolean;
94+
/**
95+
* Suppresses the warning that recommends the `offline_access` scope when
96+
* using refresh tokens together with silent renew. Some providers support
97+
* this setup without requesting `offline_access`.
98+
*/
99+
disableRefreshTokenOfflineAccessScopeWarning?: boolean;
94100
/**
95101
* Activates Pushed Authorisation Requests for login and popup login.
96102
* Not compatible with iframe renew.
@@ -209,5 +215,5 @@ export interface OpenIdConfiguration {
209215
/**
210216
* Disable cleaning up the popup when receiving invalid messages
211217
*/
212-
disableCleaningPopupOnInvalidMessage?: boolean
218+
disableCleaningPopupOnInvalidMessage?: boolean;
213219
}
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
import { OpenIdConfiguration } from '../../openid-configuration';
2+
import { useOfflineScopeWithSilentRenew } from './use-offline-scope-with-silent-renew.rule';
3+
4+
describe('useOfflineScopeWithSilentRenew', () => {
5+
const createConfig = (
6+
overrides: Partial<OpenIdConfiguration> = {}
7+
): OpenIdConfiguration => ({
8+
silentRenew: true,
9+
useRefreshToken: true,
10+
scope: 'openid profile',
11+
...overrides,
12+
});
13+
14+
it('returns a warning when refresh tokens are used without offline_access', () => {
15+
const result = useOfflineScopeWithSilentRenew(createConfig());
16+
17+
expect(result).toEqual({
18+
result: false,
19+
messages: [
20+
'When using silent renew and refresh tokens the `offline_access` scope is often required. If your provider supports this without it, set `disableRefreshTokenOfflineAccessScopeWarning` to suppress this warning.',
21+
],
22+
level: 'warning',
23+
});
24+
});
25+
26+
it('returns a positive result when the warning is disabled explicitly', () => {
27+
const result = useOfflineScopeWithSilentRenew(
28+
createConfig({
29+
disableRefreshTokenOfflineAccessScopeWarning: true,
30+
})
31+
);
32+
33+
expect(result).toEqual({
34+
result: true,
35+
messages: [],
36+
level: 'none',
37+
});
38+
});
39+
40+
it('returns a positive result when offline_access is included', () => {
41+
const result = useOfflineScopeWithSilentRenew(
42+
createConfig({
43+
scope: 'openid profile offline_access',
44+
})
45+
);
46+
47+
expect(result).toEqual({
48+
result: true,
49+
messages: [],
50+
level: 'none',
51+
});
52+
});
53+
});

projects/angular-auth-oidc-client/src/lib/config/validation/rules/use-offline-scope-with-silent-renew.rule.ts

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,21 @@ export const useOfflineScopeWithSilentRenew = (
66
): RuleValidationResult => {
77
const hasRefreshToken = passedConfig.useRefreshToken;
88
const hasSilentRenew = passedConfig.silentRenew;
9+
const disableOfflineAccessScopeWarning =
10+
passedConfig.disableRefreshTokenOfflineAccessScopeWarning;
911
const scope = passedConfig.scope || '';
1012
const hasOfflineScope = scope.split(' ').includes('offline_access');
1113

12-
if (hasRefreshToken && hasSilentRenew && !hasOfflineScope) {
14+
if (
15+
hasRefreshToken &&
16+
hasSilentRenew &&
17+
!hasOfflineScope &&
18+
!disableOfflineAccessScopeWarning
19+
) {
1320
return {
1421
result: false,
1522
messages: [
16-
'When using silent renew and refresh tokens please set the `offline_access` scope',
23+
'When using silent renew and refresh tokens the `offline_access` scope is often required. If your provider supports this without it, set `disableRefreshTokenOfflineAccessScopeWarning` to suppress this warning.',
1724
],
1825
level: 'warning',
1926
};

0 commit comments

Comments
 (0)