Consider ES2015 modules and using individual JS files from jsrsasign

[dharapvj]

Hi,

First of all thanks for a great library. I have trying to learn the concepts of OAuth and OIDC and this library comes very handy.

Currently, I tried using this in Angular-CLI project and checked that the application needs entire JS files from angular-oauth2-oidc (32kb) as well as jsrsasign (85kb). That's fairly big chunk to bring the first page as this library would be needed for authentication..

I see that we use quite minimal parts from JSRSAsign lib.

I checked if jsrsasign is ES2015 friendly.. but it appears that there are no immediate plans to move to ES2015 modules. But as the comments notes.. there are smaller bundles available for consumption.

I think using some libs from here should be sufficient for our usage.

Mostly.. we need below packages only.. (or may be even less)
Crypto
JWS
KeyUtil

Hope that can bring down needs of package size for jsrsasign library..

Similarly, I think right now library publishing has some issues leading to usage of entire library (umd.js). package.json specified module field as "module": "angular-oauth2-oidc.js", but this js file is not present in package that was downloaded (v3.1.4) May be that's why entire library must get included currently. Fixing this should bring down size for angular-oauth2-oidc library in overall bundle.

Let me know if you need more information..

[manfredsteyer]

Thanks for this info. Lets consider this for a future release. Ofc, the bug with the main flag needs to be solved soon.

But I have a quick solution for you:

• If you set the NullValidationHandler instead of the JwksValidationHandler the CLI should tree shake away JSRSAsign. I have not tried it but it should be the case.

• You can also create an custom ValidationHandler instead of this. This could use a slimmer library.

If you go this way I would be happy about a contribution, e. g. a pull request.

What do you think?

[dharapvj]

Sure I will give it a try

[manfredsteyer]

Did you find out sth?

[ccarrasc]

Just ran into this myself. Latest Rollup (0.56.3) does not tree shake jsrsasign away. (or it at least leaves the require('jsrsasign') statement in the bundle)

[bilelmsekni]

This is still an issue even with the NullValidationHandler

Anyone has an idea on what to do ?

[manfredsteyer]

Thanks for this feedback. I will make this one priority for version 4.1.
4.0 will come with Angular 6 support and then I will hunt this down. It's an important thing.

[Toxicable]

I've made this here: #356
Which will fix these issues and reduce dependancies size down to a very tiny amount.
However it comes at the cost of breaking changes (if we go for window.crypto)

[iMarv]

If you are building with webpack and know that you do not use the functionality that is provided by jsrsasign, you can get rid of the dependency with the help of webpack (in my case webpack 4)

We created a mock for the two modules used from jsrsasign

jsrsasign.js

module.exports.KEYUTIL = {
    getKey: b => null,
};

module.exports.KJUR = {
    jws: {
        JWS: {
            verifyJWT: (...a) => null,
        },
    },
};

Now all you have to do is add the following to your webpack config
webpack config

{
    resolve: {
        alias: {
            jsrsasign$: 'path/to/your/jsrsasign.js',
        }
    }
}

This will replace the dependency with your own file, reducing the bundle size drastically.
Just ensure that you are not using any functionality that relies on it.

[jogelin]

any news for this issue ? Indeed it really heavy in my webpack analyze...

[unlight]

https://bundlephobia.com/[email protected]

BUNDLE SIZE 269.6kB MINIFIED
jsrsasign ｜ 79.6% ｜ ~ 214.45 kB
(self) ｜ 18.4% ｜ ~ 49.56 kB

[banjankri]

we are using the NullValidationhandler and with angular/[email protected] jsrsassign still gets its way into the production bundle.

[jeroenheijmans]

The maintainer chose a different route to fix this in Version 9.x, which does require switching to Code+PKCE flow (the new recommendation for SPA's).

I will close this issue because I think the most honest current way of things is that for Implicit Flow with JWKS, or for versions <9.x, this will not be resolved.

To summarize, your optins for getting rid of jsrassign and its impact on your bundle size:

• Use v9.x of the library with Implicit Flow but do not use the JwksValidationHandler and its package (that depends on the jsrasign)
• Use v9.x of the library with Code Flow, that does not need JWKS at all