{"id":19015069,"url":"https://github.com/adfinis/ember-simple-auth-oidc","last_synced_at":"2025-04-06T10:09:59.993Z","repository":{"id":39709899,"uuid":"139717033","full_name":"adfinis/ember-simple-auth-oidc","owner":"adfinis","description":"ember-simple-auth authenticator for the OpenID Connect standard","archived":false,"fork":false,"pushed_at":"2025-03-28T11:53:18.000Z","size":6505,"stargazers_count":22,"open_issues_count":21,"forks_count":19,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-03-29T09:44:11.213Z","etag":null,"topics":["authentication","ember","ember-addon","ember-simple-auth","openid-connect"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adfinis.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-04T12:08:18.000Z","updated_at":"2025-03-10T10:30:44.000Z","dependencies_parsed_at":"2023-02-19T16:16:12.443Z","dependency_job_id":"88d45058-659d-4a59-8689-84c0042e2b83","html_url":"https://github.com/adfinis/ember-simple-auth-oidc","commit_stats":{"total_commits":404,"total_committers":18,"mean_commits":"22.444444444444443","dds":0.5222772277227723,"last_synced_commit":"988d35b469c3cbd7b57772b8882632f79bd7aef2"},"previous_names":[],"tags_count":35,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adfinis%2Fember-simple-auth-oidc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adfinis%2Fember-simple-auth-oidc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adfinis%2Fember-simple-auth-oidc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adfinis%2Fember-simple-auth-oidc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adfinis","download_url":"https://codeload.github.com/adfinis/ember-simple-auth-oidc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247464188,"owners_count":20942967,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","ember","ember-addon","ember-simple-auth","openid-connect"],"created_at":"2024-11-08T19:35:21.902Z","updated_at":"2025-04-06T10:09:59.963Z","avatar_url":"https://github.com/adfinis.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ember-simple-auth-oidc\n\n[![npm version](https://badge.fury.io/js/ember-simple-auth-oidc.svg)](https://www.npmjs.com/package/ember-simple-auth-oidc)\n[![Test](https://github.com/adfinis/ember-simple-auth-oidc/actions/workflows/ci.yml/badge.svg)](https://github.com/adfinis/ember-simple-auth-oidc/actions/workflows/ci.yml)\n[![Code Style: Prettier](https://img.shields.io/badge/code_style-prettier-ff69b4.svg)](https://github.com/prettier/prettier)\n[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)\n\nA [Ember Simple Auth](http://ember-simple-auth.com) addon which implements the\nOpenID Connect [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth).\n\n## Installation\n\n- Ember.js v4.12 or above\n- Ember CLI v4.12 or above\n- Node.js v18 or above\n\nNote: The addon uses [Proxy](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy)\nin its implementation, if IE browser support is necessary, a polyfill needs to be provided.\n\n```bash\n$ ember install ember-simple-auth-oidc\n```\n\nIf you're upgrading from 3.x to 4.x see the [upgrade guide](docs/migration-v4.md).\n\n## Usage\n\nTo use the oidc authorization code flow the following elements need to be added\nto the Ember application.\n\nThe login / authentication route (for example the Ember Simple Auth default `/login`)\nneeds to extend from the `OIDCAuthenticationRoute`, which handles the authentication\nprocedure. In case the user is already authenticated, the transition is aborted.\n\n```js\n// app/routes/login.js\n\nimport OIDCAuthenticationRoute from \"ember-simple-auth-oidc/routes/oidc-authentication\";\n\nexport default class LoginRoute extends OIDCAuthenticationRoute {}\n```\n\nAuthenticated routes need to call `session.requireAuthentication` in their\nrespective `beforeModel`, to ensure that unauthenticated transitions are\nprevented and redirected to the authentication route. It's recommended to\nawait the `beforeModel` hook, to make sure authentication is handled before\nother API calls are triggered (which might lead to `401` responses, potentially\ncausing redirect loops).\n\n```js\n// app/routes/protected.js\n\nimport Route from \"@ember/routing/route\";\nimport { inject as service } from \"@ember/service\";\n\nexport default class ProtectedRoute extends Route {\n  @service session;\n\n  async beforeModel(transition) {\n    await this.session.requireAuthentication(transition, \"login\");\n  }\n}\n```\n\nTo include authorization info in all Ember Data requests override `headers` in\nthe application adapter and include `session.headers` alongside any other\nnecessary headers. By extending the application adapter from either of the\nprovided `OIDCJSONAPIAdapter` or `OIDCRESTAdapter`, the `access_token` is\nrefreshed before Ember Data requests, if necessary. Both the `OIDCJSONAPIAdapter`\nand the `OIDCRESTAdapter` also provide default headers with the authorization\nheader included.\n\n```js\n// app/adapters/application.js\n\nimport { inject as service } from \"@ember/service\";\nimport OIDCJSONAPIAdapter from \"ember-simple-auth-oidc/adapters/oidc-json-api-adapter\";\n\nexport default class ApplicationAdapter extends OIDCJSONAPIAdapter {\n  @service session;\n\n  get headers() {\n    return { ...this.session.headers, \"Content-Language\": \"en-us\" };\n  }\n}\n```\n\n`ember-simple-auth-oidc` also provides a middleware which handles authorization\nand unauthorization on the apollo service provided by `ember-apollo-client`.\nSimply, wrap the http link in `apolloMiddleware` like so:\n\n```js\n// app/services/apollo.js\n\nimport { inject as service } from \"@ember/service\";\nimport ApolloService from \"ember-apollo-client/services/apollo\";\nimport { apolloMiddleware } from \"ember-simple-auth-oidc\";\n\nexport default class CustomApolloService extends ApolloService {\n  @service session;\n\n  link() {\n    const httpLink = super.link();\n\n    return apolloMiddleware(httpLink, this.session);\n  }\n}\n```\n\nThe provided adapters and the apollo middleware already handle authorization and\nunauthorized requests properly. If you want the same behaviour for other request\nservices as well, you can use the `handleUnauthorized` function and the\n`refreshAuthentication.perform` method on the session. The following snippet\nshows an example of a custom fetch service with proper authentication handling:\n\n```js\nimport Service, { inject as service } from \"@ember/service\";\nimport { handleUnauthorized } from \"ember-simple-auth-oidc\";\nimport fetch from \"fetch\";\n\nexport default class FetchService extends Service {\n  @service session;\n\n  async fetch(url) {\n    await this.session.refreshAuthentication.perform();\n\n    const response = await fetch(url, { headers: this.session.headers });\n\n    if (!response.ok \u0026\u0026 response.status === 401) {\n      handleUnauthorized(this.session);\n    }\n\n    return response;\n  }\n}\n```\n\nEmber Simple Auth encourages the manual setup of the session service in the `beforeModel` of the\napplication route, starting with [version 4.1.0](https://github.com/simplabs/ember-simple-auth/releases/tag/4.1.0).\nThe relevant changes are described in their [upgrade to v4 guide](https://github.com/simplabs/ember-simple-auth/blob/master/guides/upgrade-to-v4.md).\n\n### Logout / Explicit invalidation\n\nThere are two ways to invalidate (logout) the current session:\n\n```js\nsession.invalidate();\n```\n\nThe session `invalidate` method ends the current ember-simple-auth session and therefore performs a\nlogout on the ember application. Note that the session on the authorization server is not invalidated\nthis way and a new token/session can simply be obtained when doing the authentication process again.\n\n```js\nsession.singleLogout();\n```\n\nThe session `singleLogout` method will invalidate the current ember-simple-auth session and after that\ncall the `end-session` endpoint of the authorization server. This will result in a logout of the\nember application and additionally invalidate the session on the authorization server which will logout\nthe user of all applications using this authorization server!\n\n## Configuration\n\nThe addon can be configured in the project's `environment.js` file with the key `ember-simple-auth-oidc`.\n\nA minimal configuration includes the following options:\n\n```js\n// config/environment.js\n\nmodule.exports = function (environment) {\n  let ENV = {\n    // ...\n    \"ember-simple-auth-oidc\": {\n      host: \"http://authorization.server/openid\",\n      clientId: \"test\",\n      authEndpoint: \"/authorize\",\n      tokenEndpoint: \"/token\",\n      userinfoEndpoint: \"/userinfo\",\n    },\n    // ...\n  };\n  return ENV;\n};\n```\n\nHere is a complete list of all possible config options:\n\n**host** `\u003cString\u003e`  \nA relative or absolute URI of the authorization server.\n\n**clientId** `\u003cString\u003e`  \nThe oidc client identifier valid at the authorization server.\n\n**authEndpoint** `\u003cString\u003e`  \nAuthorization endpoint at the authorization server. This can be a path which\nwill be appended to `host` or an absolute URL.\n\n**tokenEndpoint** `\u003cString\u003e`  \nToken endpoint at the authorization server. This can be a path which will be\nappended to `host` or an absolute URL.\n\n**endSessionEndpoint** `\u003cString\u003e` (optional)  \nEnd session endpoint endpoint at the authorization server. This can be a path\nwhich will be appended to `host` or an absolute URL.\n\n**userinfoEndpoint** `\u003cString\u003e`  \nUserinfo endpoint endpoint at the authorization server. This can be a path\nwhich will be appended to `host` or an absolute URL.\n\n**afterLogoutUri** `\u003cString\u003e` (optional)  \nA relative or absolute URI to which will be redirected after logout / end session.\n\n**scope** `\u003cString\u003e` (optional)  \nThe oidc scope value. Default is `\"openid\"`.\n\n**expiresIn** `\u003cNumber\u003e` (optional)  \nMilliseconds after which the token expires. This is only a fallback value if the authorization server does not return a `expires_in` value. Default is `3600000` (1h).\n\n**refreshLeeway** `\u003cNumber\u003e` (optional)  \nMilliseconds before expire time at which the token is refreshed. Default is `30000` (30s).\n\n**tokenPropertyName** `\u003cString\u003e` (optional)  \nName of the property which holds the token in a successful authenticate request. Default is `\"access_token\"`.\n\n**authHeaderName** `\u003cString\u003e` (optional)  \nName of the authentication header holding the token used in requests. Default is `\"Authorization\"`.\n\n**authPrefix** `\u003cString\u003e` (optional)  \nPrefix of the authentication token. Default is `\"Bearer\"`.\n\n**loginHintName** `\u003cString\u003e` (optional)  \nName of the `login_hint` query paramter which is being forwarded to the authorization server if it is present. This option allows overriding the default name `login_hint`.\n\n**amountOfRetries** `\u003cNumber\u003e` (optional)  \nAmount of retries should be made if the request to fetch a new token fails. Default is `3`.\n\n**retryTimeout** `\u003cNumber\u003e` (optional)  \nTimeout in milliseconds between each retry if a token refresh should fail. Default is `3000`.\n\n**enablePkce** `\u003cBoolean\u003e` (optional)\nEnables PKCE mechanism to provide additional protection during code to token exchanges. Default is `false`.\n\n**unauthorizedRequestRedirectTimeout** `\u003cNumber\u003e` (optional)\nDebounce timeout for redirection after (multiple) `401` responses are received to prevent redirect loops (at the cost of a small delay). Set to `0` to disable debouncing. Default is `1000`.\n\n## License\n\nThis project is licensed under the [LGPL-3.0-or-later license](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadfinis%2Fember-simple-auth-oidc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadfinis%2Fember-simple-auth-oidc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadfinis%2Fember-simple-auth-oidc/lists"}