Description

Convert salte-auth to ES6

Description

AngularJS 1.6.0+ prefixes the callback URL with a hash/bang combination with no trailing slash between the hash/bang and the fragment sent back with the access token (e.g. #!#access_token=...). Some identity providers support including the hash/bang in the callback URL and then they exclude the hash from the fragment. Other identity providers support including the hash/bang in the callback URL but still include the hash in the fragment. The bottom line is that there are a lot of Identity provider inconsistencies in handling the fragment-portion of the URL and its relationship to other hashes that might be included in the callback URL or added by the front-end JavaScript framework prior to an interceptor parsing it. As a result, we need to be much more flexible in our approach to parsing the fragment sent back from the identity provider.

Description

Research the feasibility and implications of preventing the web-based application's session from timing out. This could be useful while an application is under development or allows the user to manage large client-side updates before invoking server-side code. If the latter applies than it is assumed that the application is running in a secured environment where the display device has a timeout and lock-screen of its own.

☝️ Greenkeeper’s updated Terms of Service will come into effect on April 6th, 2018.

Version 2.0.10 of karma-webpack was just published.

This version is covered by your current version range and after updating it in your project the build failed.

karma-webpack is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Description

OAuth 2.0 validation information needs to be passed to the forgotPassword url, as such trying to implement this on the end-developer side is a bit difficult.

Instead we should implement a function that either generates a forgotPassword url if it can or it throws an error saying it isn't support for the given provider.

Example

https://some-user-pool.auth.us-east-1.amazoncognito.com/forgotPassword?state=cb9bb075-58c8-4c71-93ff-f605baa913fe&nonce=1d0c3f15-2e89-4dd2-a1e7-92ccee7734f3&response_type=token&redirect_uri=<my-redirect-uri>&client_id=<my-client-id>&scope=openid

Version 2.10.1 of webpack-dev-server was just published.

This version is covered by your current version range and after updating it in your project the build failed.

webpack-dev-server is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Description

Certain tests will fail when executed on their own and pass when executed with others.

Browsers Affected

• Chrome
• Firefox
• Safari 9
• Safari 8
• Safari 7
• Edge
• IE 11
• IE 10

Description

Currently salte-auth utilizes callbacks to let the user know
when a request is done. Instead we should use Promises.

Description

Currently having salte-auth be a singleton is forcing users to utilize it in a certain way.

By revoking its singleton status we put the control in the hands of the developers.

EDIT (April 8th, 2019)

Effectively this was making it impossible to create multiple instances of SalteAuth since it would reference the global version of giving the user a new instance.

While this functionality has been removed in v3.0.0 it also isn't entirely relevant anymore since users can register multiple providers.

Description

When you attempt to login to renew your access token on an IDP that doesn't support iFrames the request never resolves.

Expected outcome

salte.auth.login().catch((error) => {
  console.log(error); 
  /*
   * {
   *    code: 'login_iframe_blocked',
   *    description: 'The identity provider is blocking login requests via iFrames.'
   * }
   */
});

Actual outcome

salte.auth.login().catch((error) => {
  // The login promise falls into limbo as theres no way for it to resolve
});

Browsers Affected

• Chrome
• Firefox
• Safari 9
• Safari 8
• Safari 7
• Edge
• IE 11
• IE 10

References

• https://stackoverflow.com/questions/7950184/is-there-a-client-side-way-to-detect-x-frame-options#answer-37979701

Description

Simplify the code by replacing the wheel reinventing _guid function with node-uuid.

Version 0.5.5 of html-loader was just published.

This version is covered by your current version range and after updating it in your project the build failed.

html-loader is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Version 3.1.0 of webpack just got published.

This version is covered by your current version range and after updating it in your project the build failed.

As webpack is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.

I recommend you give this issue a high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

Pros

• No longer need to deploy to latest branch
• Ability to utilize .npmrc
• Ability to upgrade to semantic-release 13+

Cons

• Dropped support for Polymer 1 - 2

Description

This seems to be linked to how we're opening the new tab.
salte-auth isn't recognizing it as a window owned by us.

https://github.com/salte-io/salte-auth/blob/533569282222a72b66c047791bfdede7df981e6c/src/salte-auth.utilities.js#L258-L263

This is due to us having to name the window _blank in order to initiate a new tab rather then a popup.

https://github.com/salte-io/salte-auth/blob/533569282222a72b66c047791bfdede7df981e6c/src/salte-auth.utilities.js#L168-L174

Expected outcome

The new tab closes after we're redirected to our site.

Actual outcome

The new tab stays open after redirecting.

Live Demo

https://glitch.com/edit/#!/remix/salte-auth-demo

Browsers Affected

• Chrome
• Firefox
• Safari 11
• Safari 10
• Safari 9
• Safari 8
• Safari 7
• Edge
• IE 11
• IE 10

Description

By default, this component uses sessionStorage to store state information. However, it will also allow the consuming application to specify that localStorage be used instead by passing the following key/value pair to the init function: cacheLocation: 'localStorage'. This capability should be made more prominent by adding it to the documentation at the top of salte-auth.js.

Version 6.24.1 of babel-core just got published.

This version is covered by your current version range and after updating it in your project the build failed.

As babel-core is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.

I recommend you give this issue a high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

☝️ Greenkeeper’s updated Terms of Service will come into effect on April 6th, 2018.

Version 4.0.1 of webpack was just published.

This version is covered by your current version range and after updating it in your project the build failed.

webpack is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Description

AngularJS 1.6 changed the default hashPrefix value to the bang symbol. As a result, we had to expose the hashPrefix through the configuration object to enable the consuming application to provide it.

Description

This was originally forked from the Azure Active Directory Authentication Library but has been dramatically revamped to support additional OpenID Connect and OAuth 2.0 Identity providers (as well as continuing to support AADAL). Even so, the usage instructions will be very much the same with a few minor tweaks.

Description

Sometimes users want to know when salte-auth fires off a login or logout event.

This should be facilitated via a new listeners api.

Proposed API

/**
 * Listens for an event to be invoked.
 * @param {('login'|'logout')} eventType the event to listen for.
 * @param {Function} callback A callback that fires when the specified event occurs.
 */
salte.auth.on(eventType, callback);

/**
 * Deregister a callback previously registered.
 * @param {('login'|'logout')} eventType the event to deregister.
 * @param {Function} callback A callback that fires when the specified event occurs.
 */
salte.auth.off(eventType, callback);

Description

WSO2's implementation if the id_token flow sends the ID token back as a query parameter instead of a URL fragment. This is not in alignment with the OpenID Connect specification and is generally considered to be a bad practice because of security concerns. As a result, we need to force the user to explicitly state that they want this behavior to be enabled.

Description

Setup coverage reporting

References

• https://github.com/istanbuljs/babel-plugin-istanbul

Description

Callback doesn't get executed when logging in with a popup via salte-auth-angular.

Expected outcome

Callback gets executed when logging in with a popup via salte-auth-angular.

Actual outcome

Callback doesn't get executed when logging in with a popup via salte-auth-angular.

Browsers Affected

• Chrome
• Firefox
• Safari 9
• Safari 8
• Safari 7
• Edge
• IE 11
• IE 10

Version 10.1.1 of yargs was just published.

This version is covered by your current version range and after updating it in your project the build failed.

yargs is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Description

This issue is here to facilitate discussion regarding the structure of the API for 2.0

Proposed API

/**
 * Authenticates using the iframe-based OAuth flow.
 * @return {Promise} a promise that resolves when we finish authenticating
 */
salte.auth.signInWithIframe();

/**
 * Authenticates using the popup-based OAuth flow.
 * @return {Promise} a promise that resolves when we finish authenticating
 */
salte.auth.signInWithPopup();

/**
 * Authenticates using the redirect-based OAuth flow.
 */
salte.auth.signInWithRedirect();

/**
 * Unauthenticates using the iframe-based OAuth flow.
 * @return {Promise} a promise that resolves when we finish deauthenticating
 */
salte.auth.signOutWithIframe();

/**
 * Unauthenticates using the popup-based OAuth flow.
 * @return {Promise} a promise that resolves when we finish deauthenticating
 */
salte.auth.signOutWithPopup();

/**
 * Unauthenticates using the redirect-based OAuth flow.
 */
salte.auth.signOutWithRedirect();

/**
 * Whether the user is currently authenticated
 */
salte.auth.profile.authenticated;

/**
 * The date and time that the access token will expire in unix time
 */
salte.auth.profile.expiration;

/**
 * The url that we will redirect to when signInWithRedirect is used
 */
salte.auth.profile.redirectUrl;

Description

Add support for Okta's Identity Provider.

Description

Replace window-level bindings with class properties

Version 4.1.0 of mocha was just published.

This version is covered by your current version range and after updating it in your project the build failed.

mocha is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

☝️ Greenkeeper’s updated Terms of Service will come into effect on April 6th, 2018.

Version 7.1.4 of babel-loader was just published.

This version is covered by your current version range and after updating it in your project the build failed.

babel-loader is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Description

This a followup to #135. This is a very similar issue.

I'm getting a state mismatch error and an additional authorize call to get the access token during a loginWithRedirect call.

This is due to having all routes secure and $onRouteChanged being triggered on the initial route

Expected outcome

loginWithRedirect returns no state mismatch error and makes no extra authorize calls during the login process

Actual outcome

loginWithRedirect returns a state mismatch error during the login process and makes an extra authorize call

Proposal

Don't authenticate a secure route during a login. I will open a PR with a proposed solution to resolve this issue.

Description

Currently we support logging in via a popup, iframe, and redirect.

However we do not have an option to explicitly login via a new tab.

Proposed API

/**
 * Authenticates using the new-tab-based OAuth flow.
 * @return {Promise} a promise that resolves when we finish authenticating
 */
salte.auth.loginWithNewTab();

/**
 * Authenticates using the new-tab-based OAuth flow.
 * @return {Promise} a promise that resolves when we finish authenticating
 */
salte.auth.logoutWithNewTab();

Description

When running yarn run tdd the command will fail when any files are changed.

Browsers Affected

• Chrome
• Firefox
• Safari 9
• Safari 8
• Safari 7
• Edge
• IE 11
• IE 10

☝️ Greenkeeper’s updated Terms of Service will come into effect on April 6th, 2018.

Version 5.8.0 of nps was just published.

This version is covered by your current version range and after updating it in your project the build failed.

nps is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Description

Rather then utilizing route change functionality within various
frameworks we should implement a central set of functionality
within salte-auth.

References

https://github.com/PolymerElements/iron-location/blob/faaa959813d1dfa5defc5db30e55e799c89ec903/iron-location.html#L185-L188

Description

You are currently required to list the API endpoints that require authentication to a list of endpoints in the configuration. This, in turn, results in the component making a round-trip to the identity provider the first time each of the API endpoints listed is called. This needs to be enhanced so that any API calls not explicitly listed in the endpoints list or a new anonymous list are enriched with a shared access_token.

Description

Most browsers don't support opening a popup without a user event.

Expected outcome

The browser opens a popup.

Actual outcome

The browser doesn't open a popup.

Live Demo

https://salte-auth-144.glitch.me

Browsers Affected

• Chrome
• Firefox
• Safari 10
• Safari 9
• Safari 8
• Safari 7
• Edge
• IE 11
• IE 10

Version 3.2.0 of uuid was just published.

This version is covered by your current version range and after updating it in your project the build failed.

uuid is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Version 2.12.0 of coveralls just got published.

This version is covered by your current version range and after updating it in your project the build failed.

As coveralls is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.

I recommend you give this issue a high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

Description

The callback timeout is currently hard-coded to 6 seconds, which may not be long enough depending upon the performance of the token provider being used, network latency issues, etc. As a result, we will expose this through the config object so the consumer can provide their own timeout value. If not provided we will default the value to 6 seconds.

Description

If you use the fetch api with the URL / Request object then the request fails.

Expected outcome

The request succeeds.

Actual outcome

The request fails.

Browsers Affected

• Chrome
• Firefox
• Safari 9
• Safari 8
• Safari 7
• Edge
• IE 11
• IE 10

Description

The tests should be run via Sauce Labs on the following browsers:

• Microsoft Edge
• Chrome
• Firefox
• IE 10 to 11
• Safari 7 to 9

Description

node-uuid doesn't support being pulled in via a <script> tag, so we need to compile it with our code.

Related Issues

• defunctzombie/node-uuid#23

Description

I'm trying to use the latest 2.x version of SalteAuth with Angular. Calling loginWithRedirect with all routes secure returns the invalid_state error code "State provided by identity provider did not match local state."

Debugging SalteAuth I found the following occurs in this order:

1. $$onRouteChanged is getting called during the login. I'm not sure why. Maybe changing from nothing to the initial route?
2. Since all routes are secured it calls retrieveAccessToken
3. The user isn't logged in yet so the idToken is expired. This results in loginWithIframe being called
4. This results in a new call to $loginUrl. This changes the profile's $localState because $loginUrl always sets the $localState to a new uuid
5. This causes the state mismatch as the loginWithRedirect url passes a different state than what is in profile.$localState

Expected outcome

SalteAuth.loginWithRedirect only calls loginWithRedirect internally and passes the correct state

Actual outcome

SalteAuth.loginWithRedirect passes the wrong state due to both loginWithRedirect and loginWithIframe being called internally

Steps to reproduce

• Angular 5 app. I don't know if this matters.
• Call loginWithRedirect with a config similar to the one below, routes: true seems particularly important.

this.auth = new SalteAuth({
  provider: 'wso2',
  clientId: authConfig.clientId,
  providerUrl: authConfig.provider,
  responseType: 'id_token token',
  redirectUrl: location.origin + '/authorize',
  redirectLoginCallback: this.handleRedirect.bind(this),
  scope: 'openid',
  routes: true,
  endpoints: ['/api'],
});

Description

Convert tests to use Mocha and Chai.

Description

Authorizing against a multi-tenant instance of WSO2 Identity Server requires the tenant domain that the user wishes to authenticate against to be passed as a query parameter called "tenantDomain."

Description

Add Greenkeeper to keep dependencies up to date

References

• https://greenkeeper.io

Description

We have no intention of support IE9 or below, therefore polyfilling the atob function is unnecessary.

Version 4.1.5 of sinon was just published.

This version is covered by your current version range and after updating it in your project the build failed.

sinon is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴