Make final changes for code flow with silent refresh

Fixes #24

Author: jeroenheijmans

src/app/core/auth-config.ts

@@ -7,6 +7,7 @@ export const authConfig: AuthConfig = {
   redirectUri: window.location.origin + '/index.html',
   silentRefreshRedirectUri: window.location.origin + '/silent-refresh.html',
   scope: 'openid profile email api', // Ask offline_access to support refresh token refreshes
+  useSilentRefresh: true,
   silentRefreshTimeout: 5000, // For faster testing
   timeoutFactor: 0.25, // For faster testing
   sessionChecksEnabled: true,

src/app/core/auth.service.ts

@@ -1,6 +1,6 @@
 import { Injectable } from '@angular/core';
 import { Router } from '@angular/router';
-import { OAuthErrorEvent, OAuthService, OAuthEvent, TokenResponse } from 'angular-oauth2-oidc';
+import { OAuthErrorEvent, OAuthService } from 'angular-oauth2-oidc';
 import { BehaviorSubject, combineLatest, Observable, ReplaySubject } from 'rxjs';
 import { filter, map } from 'rxjs/operators';
 
@@ -106,7 +106,7 @@ export class AuthService {
         // 2. SILENT LOGIN:
         // Try to log in via a refresh because then we can prevent
         // needing to redirect the user:
-        return this.tryNoPromptRefresh()
+        return this.oauthService.silentRefresh()
           .then(() => Promise.resolve())
           .catch(result => {
             // Subset of situations from https://openid.net/specs/openid-connect-core-1_0.html#AuthError
@@ -160,24 +160,14 @@ export class AuthService {
       .catch(() => this.isDoneLoadingSubject$.next(true));
   }
 
-  private tryNoPromptRefresh(): Promise<TokenResponse | OAuthEvent> {
-    if (this.oauthService.getRefreshToken()) {
-      console.log('Found a refresh token, trying to use it.');
-      return this.oauthService.refreshToken();
-    }
-
-    console.log('Found no refresh token, trying iframe based refresh');
-    return this.oauthService.silentRefresh();
-  }
-
   public login(targetUrl?: string) {
     // Note: before version 9.1.0 of the library you needed to
     // call encodeURIComponent on the argument to the method.
     this.oauthService.initLoginFlow(targetUrl || this.router.url);
   }
 
   public logout() { this.oauthService.logOut(); }
-  public refresh() { this.tryNoPromptRefresh(); }
+  public refresh() { this.oauthService.silentRefresh(); }
   public hasValidToken() { return this.oauthService.hasValidAccessToken(); }
 
   // These normally won't be exposed from a service like this, but

src/silent-refresh.html

@@ -1,20 +1,31 @@
-<!doctype html>
 <html>
+
 <body>
-    <script>
-      console.log("The silent-refresh.html file was loaded and now posting to the parent.");
-
-      // For code flow with IdentityServer4 the redirect will contain the new code in
-      // the location.search. However, the oauth library expects it in the hash fragment
-      // so we need to "fake" that.
-      //
-      // We can't just set `silentRefreshMessagePrefix` on AuthConfig, because the normal
-      // redirect after interactive login *does* use the hash fragment, so we'd break that.
-      //
-      // See also: https://github.com/manfredsteyer/angular-oauth2-oidc/issues/777
-      const fakeHashFragment = location.search.replace(/^\?/, "#");
-
-      parent.postMessage(fakeHashFragment, location.origin);
-    </script>
+  <script>
+    // Based on: https://manfredsteyer.github.io/angular-oauth2-oidc/docs/additional-documentation/silent-refresh.html
+
+    const checks = [/[\?|&|#]code=/, /[\?|&|#]error=/, /[\?|&|#]token=/, /[\?|&|#]id_token=/];
+
+    function isResponse(str) {
+      let count = 0;
+
+      if (!str) {
+        return false;
+      }
+
+      for (let i = 0; i < checks.length; i++) {
+        if (str.match(checks[i])) return true;
+      }
+
+      return false;
+    }
+
+    let message = isResponse(location.hash) ? location.hash : '#' + location.search;
+
+    console.log("Silent refresh iframe is posting to the parent application, message:", message);
+
+    (window.opener || window.parent).postMessage(message, location.origin);
+  </script>
 </body>
+
 </html>