New Features/ Merged PRs

• ~ 50% less bundle size for code flow (recommended flow) due to putting non-treeshakable code only needed for implicit flow (not recommended anymore) into an lib of its own (see breaking change, below)
• New demo-project quickstart-demo shows most important aspects for code flow
• Angular 9 upgrade #718, jeroenheijmans
• Fix for issue 661 #720, mike-rivera
• Set userinfoEndpoint if userinfo_endpoint not exists #685, luciimon
• Add more types in OAuthService #684, vadjs
• Fix destroying route via silentRefresh when using hash strategy (Issue 277) #672, tpeter1985
• Clean up more resources in ngOnDestroy #666, Andreas-Hjortland
• Fix positioning of popup login window #664, Andreas-Hjortland
• Fixed not using config.openUri in code flow #660, axle-h
• Merge pull request #656 from dirkbolte/improve-error-for-missing-endpointUrl, dirkbolte
• Add more guides on another way to use loadDiscoveryDocumentAndTryLogin #648, jonyeezs
• Added popup related error handling for implicit grant, dekundu
• Support hash location strategy with code flow #634, gingters
• Unsubscribe from 'token_received' events before re-subscribing #630, l1b3r
• Correct implementation of rfc7636 section 4.1 #629, jfyne
• During session check, ignore messages with irrelevant origin #617, Maximaximum
• Allow clockSkewInSec to be different from 600 #615, vdveer
• Fixing disableAtHashCheck, not being recognized correctly #613, dorianweidler
• Add support for code flow silent-refresh and popup #609, KevinCathcart
• Always set expiration timers for valid token types #597, harmpauw
• Validate self when calling crypto provider #588, ryanmwright
• Removed duplicated condition for allowedUrls during interceptor logic and make it optional #584, adrianbenjuya
• Add CryptoHandler to public api. #583, Chris3773

Big Thanks to all Contributers

adrianbenjuya, Andreas-Hjortland, axle-h, Chris3773, dekundu, dirkbolte, dorianweidler, gingters, harmpauw, jeroenheijmans, jfyne, jonyeezs, KevinCathcart, l1b3r, luciimon, Maximaximum, mike-rivera, ryanmwright, tpeter1985, vadjs, vdveer

Also, big thanks to jeroenheijmans for doing an awesome job with moderating and analyzing the issues.

You all rock!

Resolved Bugs

• AutoSilentRefresh doesn't work after refresh the page bug #444
• Event type 'received_first_token' is never fired bug #564
• loadUserProfile will return roles of last user if current user has no roles assigned bug investigation-needed #580
• OAuthResourceServerConfig: customUrlValidation not used when allowedUrls not set bug future-version pr-welcome #593
• Url Helper Service should not discard question marks when parsing hash fragment bug investigation-needed #604
• Code Flow erroring out due to multipe expiry events bug pr-welcome #632
• Emit token_expires if token has already expired bug #637
• Unhandled Promise rejection: Failed to read the 'sessionStorage' property from 'Window': Access is denied for this document bug #641
• postMessage interfering issue bug #657
• Does Authorization Code Flow work with loadDiscoveryDocumentAndLogin(); bug #661
• Refresh timer not started after page reload bug investigation-needed #683
• refresh with code flow bug #688
• Debug mode with custom Logger breaks bug pr-welcome #709
• tryLoginCodeFlow Removing ? from URL Which is Invalid bug investigation-needed

Breaking Changes

With regards to tree shaking, beginning with version 9, the JwksValidationHandler has been moved to a library of its own. If you need it for implementing implicit flow, please install it using npm:

npm i angular-oauth2-oidc-jwks --save

After that, you can import it into your application by using this:

import { JwksValidationHandler } from 'angular-oauth2-oidc-jwks';

instead of that:

import { JwksValidationHandler } from 'angular-oauth2-oidc';

Please note, that this dependency is not needed for the code flow, which is nowadays the recommended flow for single page applications. This also results in smaller bundle sizes.