angular app_initializer authentication

It does not store user credentials, of course, but it does store the authentication tokens in the specified storage. The main index.html file is the initial page loaded by the browser that kicks everything off. The AuthUserGuard is a CanActivate, CanActivateChild and CanLoad guard that allows routes to be loaded only if the user is authenticated. Sign in To do that first let's create a ConfigInitService which will load a configuration file and assign it's values to a variable. What is important here, before running our own code first we need to authenticate a user, show Keycloaks login page and so on. If we run an application right now nothing will change, because we only registered a new application profile, but havent make a use of it in the code. But to get up and running quickly just follow the below steps. if the user is not authenticated. based on a condition over an attribute of the authenticated user. // Optional: Tells the library where to store data. It indicates that our client is public and will not require secret to get access token. Backend application and Keycloak. The app initializer is added to angular app in the providers section of the app module using the APP_INITIALIZER injection token. data either in the local or session storage based on the user's choice. The Angular CLI (with Webpack under the hood) bundles all of the compiled javascript files together and injects them into the body of the index.html page so the scripts can be loaded and executed by the browser. The angular app runs with a fake backend by default to enable it to run completely in the browser without a real backend api (backend-less), to switch to a real api you just have to remove or comment out the line below the comment // provider used to create fake backend located in the app module (/src/app/app.module.ts). Most of the file is unchanged from when it was generated by the Angular CLI, only the paths property has been added to map @app and @environments to the /src/app and /src/environments directories. To finish configurating frontend client we need first to make sure that Access Type is set to public. The home component defines an angular 10 component that gets all users from the user service and makes them available to the template via a users array property. The app component template is the root component template of the application, it contains the main nav bar which is only displayed for authenticated users, and a directive for displaying the contents of each view based on the current route / path. Make sure that Test is selected. Lets move forward and change the Docker image definition. privacy statement. Now if there is any request made to the backend service our great Keycloak library is adding the Authorization HTTP header with an access token. But we still have a problem, how to replace those placeholders with values from environment variables? If youre running my preconfigured Keycloak instance you can skip this part or just quickly go thru it. Application supports two actions either fetch all the data or select a single movie by its id. Renaming the stsServer to authority. On startup the app attempts to automatically authenticate by sending the refresh token to the api to get a new JWT token, which enables users to stay logged in between page refreshes and browser sessions until they logout. I've come to a solution to this problem that works well for now.

Also we need to provide a Valid Redirect URIs which is very important from security point of view, because here were defining into which URLs Keycloak can redirect after successful authentication. This allows imports to be relative to the app and environments folders by prefixing import paths with aliases instead of having to use long relative paths (e.g. I assume that you might not be interested in going thru my previous tutorials to implement everything by yourself and thats why Ive prepared Docker compose file which will allow to start all necessary applications with a single command with my default configuration. Let's assume your user model looks like this: You can use the directive to predicate over it's attributes. In a new view we need to provide only a client name, which will be frontend. Other than coding, I'm currently attempting to travel around Australia by motorcycle with my wife Tina, you can follow our adventure on YouTube, Instagram, Facebook and our website If the user has logged in previously (without logging out) and the browser still contains a valid refresh token cookie, they will be automatically logged in when the app loads. For example they can be declared in OS, passing them as parameters using Docker commands, using Docker Compose file or be declared in Kubernetes Deployment or ConfigMap. In this post we'll go through an example of how to implement JWT authentication with refresh tokens in Angular 10. First, lets create a bash script located in the root folder of frontend project and call it In a first line were replacing the placeholders from and as a result it generates a config.json file with values from environment variables (which holds Keycloak url, realm and client info).

The form submit event is bound to the onSubmit() method of the login component. Apart from frontend app there are two other components in this project. The last thing that needs to be configured is Web Origins parameter and here Im providing + which will handle the CORS problem. The app module defines the root module of the application along with metadata about the module. The directive also exports the authenticated user, so it can be used in the template: The ngxAuthHas directive, similarly to the ngxAuth directive, conditionally includes a template but is well-tested and all implemented features work. The ngxAuthHas directive never includes the template if the user is not authenticated. Built with Docusaurus. The Angular CLI was used to generate the base project structure with the ng new command, the CLI is also used to build and serve the application. The auth guard is an angular route guard that prevents unauthenticated users from accessing restricted routes, it does this by implementing the CanActivate interface which allows the guard to decide if a route can be activated with the canActivate() method. NgxAuthUtils provides 4 storage providers that the library uses to store the authentication tokens and some other data. The home component template contains html and angular 10 template syntax for displaying a simple welcome message and a list of users from a secure api endpoint. how your authentication system works. NOTE: You can also start the app with the Angular CLI command ng serve --open. The main file is the entry point used by angular to launch and bootstrap the application. to refresh the token). We also introduced an easier way of configuring the lib from the start to align in best practices. As usual, not storing anything is the safest choice, but usually also not the best for the user's experience. The buit-in providers don't suite your needs? If we run the npm start command the app will start up and works as previously. Currently supports token based authentication with optional refresh token (for JWT authentication). The auth guard uses the authentication service to check if the user is logged in, if they are logged in it returns true from the canActivate() method, otherwise it returns false and redirects the user to the login page. This file is generated by the Angular CLI when creating a new project with the ng new command, I've excluded the comments in the file for brevity. On success the api returns the user details and a JWT token which are published to all subscribers with the call to, the api also returns a new refresh token cookie which replaces the old one in the browser. login(credentials: K): Observable Now go to the Clients page (its located in the left menu) and click Create button located on a right. There is KeycloakAngularModule added there. For me the most convenient is to use Docker Compose (docker-compose.yaml file located in the project root). Because were using Docker its quite easy to achieve. Apparently, configuration injected when importing AuthModule is not retrieved correctly when using OidcSecurityService from an APP_INITILIZER. I didn't worry about unsubscribing from the observable here because it's the root component of the application, the only time the app component will be destroyed is when the application is closed which will destroy any subscriptions as well, so there isn't any risk of orphaned subscriptions. If we would need to change the Keycloaks URL, realm name or client (development, test and production environment can be different) we would be forced to change it in the code for each version, as all these values are hardcoded. It will be our starting point. This config is valid for client-side frontends which are not able to securely store secrets for their clients (because the entire code of an application is running in users browser). The call to the .subscribe() method triggers the request to the api, and the .add() method is used for executing additional logic after the request completes (success or failure), so it works like a promise finally() method. Please read below on how to get the currently used configuration. Having the same issue after ugprading from v11.

Due to a lot of feedback about the AutoLoginGuard and usage we did not expect in that way we decided to give the AuthGuard a brush and divided it into a AutoLoginAllRoutesGuard when you want to secure your complete app and an AutoLoginPartialRoutesGuard if some of your routes are publicly accessible. The production environment config contains variables required to run the application in production. Atom, The entire code for this project can be found in my GitHub repository: Here is the list of all other posts in this series: Java Software Developer, DevOps newbie, constant learner, podcast enthusiast. The user property exposes an RxJS observable (Observable) so any component can subscribe to be notified when a user logs in, logs out or has their token refreshed, the notification is triggered by the call to from each method in the service. To apply it Ive also modified the start script in package.json file: For production proxy config Ive created the default.conf file, which is a configuration of Nginx server: The http://backend:9000/movies is an address of the backend service (if a backend service is running in the same Docker network, or in the same Kubernetes cluster with the same Service name). Once youve got that we need to start both services, so go to the terminal and in the root directory of a project run following command: In a first run it could take a little while, but after that it should be good. Http interceptors are added to the request pipeline in the providers section of the app.module.ts file. Now run the following command and a Docker container will be created and then started. The login component uses the authentication service to login to the application. Awesome, we're in the same situation as we were previously . Tags: This might be useful if you want to implement a "remember-me" functionality and want to store the authentication // Provide to the library your AuthenticationProvider implementation to authenticated agains your APIs. The method then starts a countdown timer by calling this.startRefreshTokenTimer() to auto refresh the JWT token in the background (silent refresh) one minute before it expires so the user stays logged in. The JWT Interceptor intercepts http requests from the application to add a JWT auth token to the Authorization header if the user is logged in and the request is to the application api url (environment.apiUrl). The home route is secured by passing the AuthGuard to the canActivate property of the route. For more info about the Angular CLI see Angular 10, Authentication and Authorization, Security, JWT, Share: Facebook For more info on setting up an Angular development environment see Angular - Setup Development Environment. After the user logs in the app starts a countdown to automatically refresh the token one minute before it expires, this is also referred to as "silent refresh" since it happens in the background. For more info on communicating between components with RxJS Observables see Angular 10 - Communicating Between Components with Observable & Subject. Any implementation of this class must implement the fetchUser and the doLogin methods. use your class in the configuration. Matching requests are intercepted and handled by one of the below // route functions, non-matching requests are sent through to the real backend by calling next.handle(request);. The index.ts files in each folder are barrel files that group the exported modules from each folder together so they can be imported using only the folder path instead of the full module path, and to enable importing multiple modules in a single import (e.g.

After hitting the Save button a detailed page for newly created client will show up. Learn on the go with our new app. But there is one problem with this approach. While the library itself is safe, what can lead to security problems is how you use it and An Angular library to ease the authentication integration with a backend. To check if the applications are running you can use command: All three containers are Up so we're good to proceed with configuring a hosts file on your machine. My problem is that most of the time (not even always), if I call this.oidcSecurityService.checkAuth().toPromise() from AppComponent.onInit(), OidcSecurityService initialisation is not finished when first guard is evaluated. The checkAuth() method no longer returns a boolean value denoting the authentication status. Have a question about this project? Therefore open the angular.json file and locate the section and add dev configuration which will be replacing the default environment.ts file with In the same file, scroll down a little bit to the serve section and in configurations add new dev entry with browserTarget: Finally we can go to the package.json file in which we can specify that when we want to run the start script we would like to enable the dev profile, by adding the -c dev parameter. The example project is available on GitHub at If the user is already logged in they are automatically redirected to the home page. The authority can also be the issuer but does not have to be. First step is to create separate configuration files for two cases development and production. The FormGroup class is part of the Angular Reactive Forms module and is bound to the login template above with the [formGroup]="loginForm" directive. I've been building websites and web applications in Sydney since 1998. To keep you sane and to keep this post short Ill skip showing HTML and CSS files, as the aim of the project is not to look nice. Have similar issue. Add NgxAuthUtilsModule.forRoot(config: NgxAuthUtilsConfig) in your app.module.ts NgModule imports. The aim of this post is to show you a basic set up an Angular application so that it will be integrated with Keycloak and it will be able to consume protected HTTP resource that requires an access token. Also create a new file, which will be the same as the default one: Having that we could now move on to the code and make use of it, but after the dev environment is not fully setup. So basically, I really want to await checkAuth in an APP_INITIALIZER to have a fully initialised security context when the first route is evaluated and component initialised. initialize(): Observable A full description of how to set up Keycloak instance and how to create a simple protected resource with Spring Boot Ive described in previous two articles. To login the app sends a POST request to the api to authenticate the username and password, on successful login the app receives a JWT token to make authenticated requests to secure api routes, and a refresh token (in a cookie) to get a new JWT token from the api when the old one expires (a.k.a. As you can see, just like the ngxAuth directive, the user instance is exported so it It contains methods for login, logout and refresh token, and contains properties for accessing the current user. Both are required to be running. To check if everything is working we can list Docker containers: Than go to a web browser and type http://localhost so it will redirect you to the login page and once you login you can play around with an app. If you look at the Dockerfile for frontend app it looks pretty straightforward: Its a two stage Dockerfile, in first step a project is build to HTML, CSS and JSes and in the second step all these files are copied to an NGINX server together with simple server configuration in default.conf file. Performs automatic login if a token is found in the configured storage. With the second line were replacing only one placeholder with a base url to the backend application in default.conf NGINX server configuration. confiService is returning the config object from which we can get necessary values. Use this if for example you don't want that a logged user might navigate to the login page. If youre not familiar with I would recommend to stop here and go check the first one Introduction to OAuth 2.0. If the response is 401 Unauthorized or 403 Forbidden the user is automatically logged out of the application, all other errors are logged to the console and re-thrown up to the calling service so an alert with the error can be displayed in the UI. The development environment config contains variables required to run the application in development. Instead of hardcoding the backend URL we can allow to dynamically assigning it during container startup. MemoryStorageProvider: Stores all data in memory. The countdown starts again after each silent refresh to keep the user logged in. Logs in with the given credentials. Right now were initializing KeycloakService before the entire application. For more info see The getter for the active configuration was removed as well as the object PublicConfiguration as return type. Finally to run the application we need to declare those environment variables. Some features used by Angular 10 are not yet supported natively by all major browsers, polyfills are used to add support for features where necessary so your Angular 10 application works across all major browsers. But it's totally optional and depends on your preferences. Below the route functions there are // helper functions for returning different response types and performing other tasks such as generating and validating jwt and refresh tokens. If the user is authenticated, the guard acts similarly to the AuthUserGuard: The AuthUserPredicateGuard checks that the given predicate complies with the authenticated user. can be used directly in the template.

Next, we need to go back to the keycloak-init.factory.ts and adjust it so that getConfig() method of above service is invoked before KeycloakService initialization. This is done by a class that implements the Angular HttpInterceptor interface, for more information on Angular HTTP Interceptors see or this article. Love podcasts or audiobooks? That is what the AutoLoginAllRoutesGuard is trying to solve. By clicking Sign up for GitHub, you agree to our terms of service and tokens from the configured storage. AuthWellKnownEndpoints are now part of the config, Custom Params to pass to requests have been renamed. We should provide here only our applications URLs, to prevent hackers from doing messy stuff. If youre building a large enterprise application or a one that is publicly available you may want to introduce a concept of users, so that they will be able login to their accounts, put their information and do some stuff with your app, if theyre allowed to. Because V12 introduces multiple configs, the first parameter is now configId and the second parameter is AuthOptions. To create a custom function, that we will than assign to APP_INITIALIZER just run this command: A new file was created. Instead, an object is returned containing: See checkAuth() returning LoginResponse instead of boolean. The library that were using is already providing a preconfigured, abstract KeycloakAuthGuard class from which we will extend ours. All data are served by Java application, which requires to provide a valid OAuth 2.0 access token. For full details about the ASP.NET Core api see ASP.NET Core 3.1 API - JWT Authentication with Refresh Tokens. In order to run and test the Angular application without a real backend API, the example uses a fake backend that intercepts the HTTP requests from the Angular app and sends back "fake" responses. are correct, null otherwise. Subscribe to Feed: Because V12 introduces multiple configs, the first parameter is now configId. Next step would be to make use of these two configuration. If you now try to play around with an app, by clicking All movies button or selecting movie by id, in one of the cases you'll get this kind of an error: This toast message inform the user that she/he doesnt have sufficient roles. Initialize the NgxAuthService in your root component: or in the angular APP_INITIALIZER in your root module: Provide your authentication provider implementation: The AuthenticationProvider provides an interface with your authentication system the NgxAuthService. import { AuthenticationService, UserService } from '../_services'). Already on GitHub? To finish this part, the only thing to do is to add this Guard to the app-routing.module.ts. DynamicStorageProvider: Let's you choose the provider at runtime, more specifically when the user logs in. But how application knows that? Have you found any alternative ways of doing this? The component uses reactive form validation to validate the input fields, for more information about angular reactive form validation see Angular 10 - Reactive Forms Validation Example.

Use the NgxAuthService to login your users! Next we need to register this function in the app.module.ts file, as a provider: Take a closer look in the imports section. My problem is that most of the time (not even always), if I call this.oidcSecurityService.checkAuth().toPromise() from AppComponent.onInit(), OidcSecurityService initialisation is not finished when first guard is evaluated. The method then starts a countdown timer by calling this.startRefreshTokenTimer() to auto refresh the JWT token in the background (silent refresh) one minute before it expires so the user stays logged in. Therefore, open the Keycloak page http://localhost:8080, select Administration Console and provide following credentials: After login, in the top right corner there will be displayed a name of a realm into which youre logged in. Open it and paste following content: Above function takes as an argument a KeycloakService which is an object from keycloak-angular library so that we can use it in a body of a function to config it by providing URL to the server, realm name and application's client id which was created a step before. The app initializer runs before the app starts up, and it attempts to automatically authenticate the user by calling authenticationService.refreshToken() to get a new JWT token from the api. This service is mostly a wrapper around OidcSecurityService that exposes, among other stuff, an observable of typed users. I'm using => "angular-auth-oidc-client": "12.0.3". Here it is in action: (See on StackBlitz at Each feature has it's own folder (home & login), other shared/common code such as services, models, helpers etc are placed in folders prefixed with an underscore _ to easily differentiate them from features and group them together at the top of the folder structure. I'm currently attempting to travel around Australia by motorcycle with my wife Tina on a pair of Royal Enfield Himalayans. For full details about the ASP.NET Core api see Node.js + MongoDB API - JWT Authentication with Refresh Tokens. In the previous version, authWellKnownEndpoints was a separate parameter you could provide alongside the config in withConfig to configure your Security Token Service's Well-Known Endpoints. This is where the fake backend provider is added to the application, to switch to a real backend simply remove the fakeBackendProvider located below the comment // provider used to create fake backend.

The fake backend contains a handleRoute function that checks if the request matches one of the faked routes in the switch statement, at the moment this includes requests for handling authentication, refreshing tokens, revoking tokens, and getting all users.