{"id":13777023,"url":"https://github.com/angular-oauth/angular-oauth","last_synced_at":"2025-12-12T03:45:09.829Z","repository":{"id":8503638,"uuid":"10113327","full_name":"angular-oauth/angular-oauth","owner":"angular-oauth","description":"Client-side (implicit grant) OAuth 2.0 authorization flow for AngularJS.","archived":false,"fork":false,"pushed_at":"2015-04-08T10:54:43.000Z","size":291,"stargazers_count":294,"open_issues_count":11,"forks_count":67,"subscribers_count":26,"default_branch":"master","last_synced_at":"2025-05-10T07:25:29.188Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/angular-oauth.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2013-05-17T00:36:09.000Z","updated_at":"2024-04-22T07:11:35.000Z","dependencies_parsed_at":"2022-09-11T07:50:46.507Z","dependency_job_id":null,"html_url":"https://github.com/angular-oauth/angular-oauth","commit_stats":null,"previous_names":["enginous/angular-oauth"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/angular-oauth%2Fangular-oauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/angular-oauth%2Fangular-oauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/angular-oauth%2Fangular-oauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/angular-oauth%2Fangular-oauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/angular-oauth","download_url":"https://codeload.github.com/angular-oauth/angular-oauth/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253551796,"owners_count":21926362,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T18:00:36.506Z","updated_at":"2025-10-22T14:40:37.296Z","avatar_url":"https://github.com/angular-oauth.png","language":"JavaScript","funding_links":[],"categories":["User Manager","JavaScript"],"sub_categories":[],"readme":"About\n=====\n\nThis project provides an implementation of a client-side (implicit grant)\nOAuth 2.0 authorization flow.\n\nFeatures\n========\n\n* Retrieval of a user's token using popups using the promise-based\n  ``Token.getTokenByPopup()`` function, that presents the user with the\n  authorization endpoint and returns the token asynchronously.\n\n  (Implementation detail: A successfully obtained access token is handed back\n  to the parent window via ``window.opener.postMessage`` and the source and\n  origin of the sending window are verified by the parent.)\n\n* Access token verification using ``Token.verifyAsync``, by requesting token\n  information from the authorization server, verifying that the token\n  is valid and that it was generated by the current client (to prevent the\n  confused deputy problem).\n\n* Storage and retrieval of tokens via the `Token.get` and `Token.set`\n  calls in the `Token` service.\n\n* A preconfigured module for use with Google authentication.  Check out the\n  `example/js/demo.js \u003cexample/js/demo.js\u003e`_ and\n  `example/demo.html \u003cexample/demo.html\u003e`_ for an example.\n\n\nDemo\n====\n\nOnline\n------\n\nCheck out the demo by going to `example/demo.html via rawhithub.com`_.\n\n.. _example/demo.html via rawhithub.com: https://rawgithub.com/angular-oauth/angular-oauth/master/example/demo.html\n\n\nLocal\n-----\n\n1. Run a static file server in the root directory (the one this file is in)\n   on ``localhost:9000``.  Python 2.X: ``python -m SimpleHTTPServer 9000``.\n\n2. Navigate to http://localhost:9000/example/demo.html.\n\n\nGoogle authentication quickstart\n================================\n\n1. Create a project in the `Google APIs Console`_.  In the \"API Access\" tab\n   of the console, create an OAuth 2.0 client ID.  When prompted, set the\n   following settings:\n\n   * **Application Type**: Web application.\n\n   * **Site or Hostname**: The location at which you'll host these files.\n\n\n2. Edit authorized redirect URIs and JavaScript origins to match where you\n   will be hosting your site.  For example, let's say you're planning to\n   host your site at https://example.com/.  In that case, you might upload\n   the `angular-oauth` code to https://example.com/angular-oauth/.  You would\n   then set your client ID settings accordingly:\n\n   * **Authorized Redirect URIs**:\n     https://example.com/angular-oauth/oauth2callback.html\n\n   * **Authorized JavaScript Origins**: https://example.com\n\n\n3. Add ``googleOauth`` as a dependency to your app.\n\n4. Configure the ``TokenProvider`` with the following minimal settings:\n\n   * `clientId`: (Required.) The client ID of your application, as given\n     by your authentication server.\n\n   * `redirectUri`: (Required.) The URI to redirect back to.  You normally\n     have to configure your authorization server to ensure that it redirects\n     back to this point.\n\n   * `scopes`: (Optional.) A list of scope tokens to describe the scope\n     of the access request (more concretely, what information will be\n     requested.)  The scopes available for a given service are probably\n     documented by the authorization server.\n\n   For example::\n\n     config(function(TokenProvider) {\n       TokenProvider.extendConfig({\n         clientId: '191261111313.apps.googleusercontent.com',\n         redirectUri: 'http://localhost:9000/oauth2callback.html',\n         scopes: [\"https://www.googleapis.com/auth/userinfo.email\"]\n       });\n     }).\n\n5. After doing this, you can inject the ``Token`` service and enjoy its methods:\n\n   * Request a token with ``Token.getTokenByPopup()``, which returns a\n     promise that resolves to an object with an ``access_token`` item.\n\n   * Verify that this is a valid token for your application by calling\n     ``Token.verifyAsync(accessToken)``, which returns a promise that\n     resolves to the response of `Google's TokenInfo service`_.\n\n   * If you're able to verify the token, persist it in the browser using\n     ``Token.set(accessToken)``.\n\n   * Then when you need that token (e.g., to authorize a web service call),\n     call ``Token.get()``.\n\n\n.. _Google APIs Console: https://code.google.com/apis/console/\n.. _Google's TokenInfo service: https://developers.google.com/accounts/docs/OAuth2UserAgent#validatetoken\n\n\nRoadmap\n=======\n\nThis is a work in progress!  Don't use it in production.  Here's some of what's\nyet to be done:\n\n* Security.  While some mechanisms have been implemented to prevent token\n  stealing, the project needs a systematic review of weaknesses.  Some things\n  to look out for are outlined in the OAuth specification, which also links\n  to other resources.\n\n  I also don't have intimate knowledge of the browser security model.  The\n  isolation of ``localStorage``.\n\n* Testing.  Still lacking some confidence in this area, but soon enough\n  I'll need to do something about the lack of tests.\n\n* Customization.  Users may not always want to use popups.  Perhaps taking\n  over the entire browser window is more appropriate in some cases.  (The\n  reason for focusing on popup support is that tokens may expire, and ideally\n  reauthentication should be able to occur without interrupting the state of\n  the application.)\n\n* Browser compatibility and fault-tolerance.\n\n  * I've tested all of one browser (Chrome).\n\n  * The library currently depends on ``localStorage`` and doesn't take\n    alternative measures if it's not available.\n\n  * Unexpected behaviors are not handled gracefully.  For example, if the\n    user opens the callback page, they aren't presented with a friendly\n    message explaining what might have happened.  Ideally, the popup would\n    notify the parent when it's closed (if that's even possible when the\n    site in the popup has a different origin.)\n\n* It would be nice to support more authorization servers out of the box.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fangular-oauth%2Fangular-oauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fangular-oauth%2Fangular-oauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fangular-oauth%2Fangular-oauth/lists"}