Merge branch 'master' into master

Author: manfredsteyer

README.md

@@ -37,8 +37,8 @@ Successfully tested with **Angular 6** and its Router, PathLocationStrategy as w
 - The closed issues contain some ideas for PRs and enhancements (see labels)
 
 # Features 
-- Logging in via OAuth2 and OpenId Connect (OIDC) Implicit Flow (where user is redirected to Identity Provider)
-- "Logging in" via Password Flow (where user enters their password into the client)
+- Logging in via OAuth2 and OpenId Connect (OIDC) Implicit Flow (where a user is redirected to Identity Provider)
+- "Logging in" via Password Flow (where a user enters their password into the client)
 - Token Refresh for Password Flow by using a Refresh Token
 - Automatically refreshing a token when/some time before it expires
 - Querying Userinfo Endpoint
@@ -71,27 +71,27 @@ npm i angular-oauth2-oidc --save
 ## Importing the NgModule
 
 ```TypeScript
+import { HttpClientModule } from '@angular/common/http';
 import { OAuthModule } from 'angular-oauth2-oidc';
-[...]
+// etc.
 
 @NgModule({
   imports: [ 
-    [...]
-    HttpModule,
+    // etc.
+    HttpClientModule,
     OAuthModule.forRoot()
   ],
   declarations: [
     AppComponent,
     HomeComponent,
-    [...]
+    // etc.
   ],
   bootstrap: [
     AppComponent 
   ]
 })
 export class AppModule {
 }
-
 ``` 
 
 ## Configuring for Implicit Flow
@@ -100,7 +100,7 @@ This section shows how to implement login leveraging implicit flow. This is the
 Single Page Application. It sends the user to the Identity Provider's login page. After logging in, the SPA gets tokens.
 This also allows for single sign on as well as single sign off.
 
-To configure the library the following sample uses the new configuration API introduced with Version 2.1.
+To configure the library, the following sample uses the new configuration API introduced with Version 2.1.
 Hence, the original API is still supported.
 
 ```TypeScript
@@ -229,7 +229,7 @@ var headers = new HttpHeaders({
 });
 ```
 
-Since 3.1 you can also automate this task by switching ``sendAccessToken`` on and by setting ``allowedUrls`` to an array with prefixes for the respective urls. Use lower case for the prefixes.
+Since 3.1 you can also automate this task by switching ``sendAccessToken`` on and by setting ``allowedUrls`` to an array with prefixes for the respective URLs. Use lower case for the prefixes.
 
 ```TypeScript
 OAuthModule.forRoot({
@@ -250,10 +250,11 @@ See the [documentation](https://manfredsteyer.github.io/angular-oauth2-oidc/docs
 
 ## Tutorials
 
+* [Tutorial with Demo Servers available online](https://www.softwarearchitekt.at/post/2016/07/03/authentication-in-angular-2-with-oauth2-oidc-and-guards-for-the-newest-new-router-english-version.aspx)
 * [Angular Authentication with OpenID Connect and Okta in 20 Minutes](https://developer.okta.com/blog/2017/04/17/angular-authentication-with-oidc)
 * [Add Authentication to Your Angular PWA](https://developer.okta.com/blog/2017/06/13/add-authentication-angular-pwa)
 * [Build an Ionic App with User Authentication](https://developer.okta.com/blog/2017/08/22/build-an-ionic-app-with-user-authentication)
-
+* [On-Site Workshops](https://www.softwarearchitekt.at)
 
 
 

docs-src/session-checks.md

@@ -33,7 +33,7 @@ export const authConfig: AuthConfig = {
 To get notified, you can hook up for the event ``session_terminated``:
 
 ```TypeScript
-this.oauthService.events.filter(e => e.type === 'session_terminated').subscribe(e => {
-console.debug('Your session has been terminated!');
+this.oauthService.events.pipe(filter(e => e.type === 'session_terminated')).subscribe(e => {
+  console.debug('Your session has been terminated!');
 })
-```
+```

docs-src/silent-refresh.md

@@ -70,7 +70,7 @@ this
     .catch(err => console.error('refresh error', err));
 ```
 
-When there is an error in the iframe that prevents the communication with the main application, silentRefresh will give you a timeout. To configure the timespan for this, you can set the property ``siletRefreshTimeout`` (msec). The default value is 20.000 (20 seconds).
+When there is an error in the iframe that prevents the communication with the main application, silentRefresh will give you a timeout. To configure the timespan for this, you can set the property ``silentRefreshTimeout`` (msec). The default value is 20.000 (20 seconds).
 
 ### Automatically refreshing a token when/ before it expires
 

docs/additional-documentation/refreshing-a-token-(silent-refresh).html

@@ -655,7 +655,7 @@ <h1 id="refreshing-a-token-when-using-implicit-flow-silent-refresh-">Refreshing
     .oauthService
     .silentRefresh()
     .then(info =&gt; console.debug(&#39;refresh ok&#39;, info))
-    .catch(err =&gt; console.error(&#39;refresh error&#39;, err));</code></pre><p>When there is an error in the iframe that prevents the communication with the main application, silentRefresh will give you a timeout. To configure the timespan for this, you can set the property <code>siletRefreshTimeout</code> (msec). The default value is 20.000 (20 seconds).</p>
+    .catch(err =&gt; console.error(&#39;refresh error&#39;, err));</code></pre><p>When there is an error in the iframe that prevents the communication with the main application, silentRefresh will give you a timeout. To configure the timespan for this, you can set the property <code>silentRefreshTimeout</code> (msec). The default value is 20.000 (20 seconds).</p>
 <h3 id="automatically-refreshing-a-token-when-before-it-expires">Automatically refreshing a token when/ before it expires</h3>
 <p>To automatically refresh a token when/ some time before it expires, just call the following method after configuring the OAuthService:</p>
 <pre class="line-numbers"><code class="language-TypeScript">this.oauthService.setupAutomaticSilentRefresh();</code></pre><p>By default, this event is fired after 75% of the token&#39;s life time is over. You can adjust this factor by setting the property <code>timeoutFactor</code> to a value between 0 and 1. For instance, 0.5 means, that the event is fired after half of the life time is over and 0.33 triggers the event after a third.</p>

package.json

@@ -48,6 +48,7 @@
     "@types/jasminewd2": "~2.0.3",
     "@types/node": "~8.0.51",
     "codelyzer": "~4.0.1",
+    "cpr": "^3.0.1",
     "jasmine-core": "~2.8.0",
     "jasmine-spec-reporter": "~4.2.1",
     "karma": "~1.7.1",

projects/lib/package.json

@@ -4,7 +4,7 @@
   "author": {
     "name": "Manfred Steyer"
   },
-  "version": "4.0.2",
+  "version": "4.0.3",
   "repository": "manfredsteyer/angular-oauth2-oidc",
   "peerDependencies": {
     "@angular/common": "^6.0.0",

projects/lib/src/angular-oauth-oidic.module.ts

@@ -1,4 +1,4 @@
-import { OAuthStorage } from './types';
+import { OAuthStorage, OAuthLogger } from './types';
 import { NgModule, ModuleWithProviders } from '@angular/core';
 import { CommonModule } from '@angular/common';
 import { HTTP_INTERCEPTORS, HttpClientModule } from '@angular/common/http';
@@ -15,6 +15,10 @@ import { DefaultOAuthInterceptor } from './interceptors/default-oauth.intercepto
 import { ValidationHandler } from './token-validation/validation-handler';
 import { NullValidationHandler } from './token-validation/null-validation-handler';
 
+export function createDefaultLogger() {
+  return console;
+}
+
 export function createDefaultStorage() {
   return typeof sessionStorage !== 'undefined' ? sessionStorage : null;
 }
@@ -29,13 +33,12 @@ export class OAuthModule {
     config: OAuthModuleConfig = null,
     validationHandlerClass = NullValidationHandler
   ): ModuleWithProviders {
-    // const setupInterceptor = config && config.resourceServer && config.resourceServer.allowedUrls;
-
     return {
       ngModule: OAuthModule,
       providers: [
         OAuthService,
         UrlHelperService,
+        { provide: OAuthLogger, useFactory: createDefaultLogger },
         { provide: OAuthStorage, useFactory: createDefaultStorage },
         { provide: ValidationHandler, useClass: validationHandlerClass},
         {

projects/lib/src/auth.config.ts

@@ -37,7 +37,7 @@ export class AuthConfig {
   public oidc? = true;
 
   /**
-   * Defines whether to request a access token during
+   * Defines whether to request an access token during
    * implicit flow.
    */
   public requestAccessToken? = true;
@@ -66,7 +66,6 @@ export class AuthConfig {
 
   /**
    * Url of the userinfo endpoint as defined by OpenId Connect.
-   *
    */
   public userinfoEndpoint?: string = null;
 
@@ -107,9 +106,9 @@ export class AuthConfig {
 
   /**
    * Some auth servers don't allow using password flow
-   * w/o a client secreat while the standards do not
+   * w/o a client secret while the standards do not
    * demand for it. In this case, you can set a password
-   * here. As this passwort is exposed to the public
+   * here. As this password is exposed to the public
    * it does not bring additional security and is therefore
    * as good as using no password.
    */
@@ -159,7 +158,7 @@ export class AuthConfig {
   public sessionChecksEnabled? = false;
 
   /**
-   * Intervall in msec for checking the session
+   * Interval in msec for checking the session
    * according to http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
    */
   public sessionCheckIntervall? = 3 * 1000;
@@ -183,18 +182,18 @@ export class AuthConfig {
    */
   public disableAtHashCheck? = false;
 
-  /*
-     * Defines wether to check the subject of a refreshed token after silent refresh.
-     * Normally, it should be the same as before.
-    */
+  /**
+   * Defines wether to check the subject of a refreshed token after silent refresh.
+   * Normally, it should be the same as before.
+   */
   public skipSubjectCheck? = false;
 
   public useIdTokenHintForSilentRefresh? = false;
 
-  /*
-     * Defined whether to skip the validation of the issuer in the discovery document.
-     * Normally, the discovey document's url starts with the url of the issuer.
-     */
+  /**
+   * Defined whether to skip the validation of the issuer in the discovery document.
+   * Normally, the discovey document's url starts with the url of the issuer.
+   */
   public skipIssuerCheck? = false;
 
   /**
@@ -204,17 +203,17 @@ export class AuthConfig {
    */
   public fallbackAccessTokenExpirationTimeInSec?: number;
 
-  /*
-     * final state sent to issuer is built as follows:
-     * state = nonce + nonceStateSeparator + additional state
-     * Default separator is ';' (encoded %3B).
-     * In rare cases, this character might be forbidden or inconvenient to use by the issuer so it can be customized.
-     */
+  /**
+   * final state sent to issuer is built as follows:
+   * state = nonce + nonceStateSeparator + additional state
+   * Default separator is ';' (encoded %3B).
+   * In rare cases, this character might be forbidden or inconvenient to use by the issuer so it can be customized.
+   */
   public nonceStateSeparator? = ';';
 
-  /*
-   * set this to true to use HTTP BASIC auth for password flow
-  */
+  /**
+   * Set this to true to use HTTP BASIC auth for password flow
+   */
   public useHttpBasicAuthForPasswordFlow? = false;
 
   constructor(json?: Partial<AuthConfig>) {