Skip to content

feat: add support for Online Access (Online Refresh Tokens)#934

Open
NandanPrabhu wants to merge 4 commits into
mainfrom
feat/online_access
Open

feat: add support for Online Access (Online Refresh Tokens)#934
NandanPrabhu wants to merge 4 commits into
mainfrom
feat/online_access

Conversation

@NandanPrabhu

@NandanPrabhu NandanPrabhu commented Jul 6, 2026

Copy link
Copy Markdown

Summary

Adds full support for Online Access (Online Refresh Tokens / ORTs) in auth0-angular, mirroring the underlying auth0-spa-js feature.

Most of the configuration surface (refreshTokenMode, useDpop, useMrrt, useRefreshTokens) already passed through automatically since AuthConfig extends Auth0ClientOptions and Auth0ClientFactory spreads config directly — no changes needed there.

Changes

  • Exported RefreshTokenMode, InvalidConfigurationError, MissingScopesError from public-api.ts
  • 4 new tests in auth.service.spec.ts covering the call, options forwarding, state refresh, and error propagation
  • New "Online Access (Online Refresh Tokens)" section in EXAMPLES.md, covering both AuthModule.forRoot and standalone provideAuth0 configuration styles

Usage

import { AuthModule, RefreshTokenMode } from '@auth0/auth0-angular';

AuthModule.forRoot({
  domain: 'YOUR_AUTH0_DOMAIN',
  clientId: 'YOUR_AUTH0_CLIENT_ID',
  useRefreshTokens: true,
  refreshTokenMode: RefreshTokenMode.Online,
  useDpop: true,
  authorizationParams: { redirect_uri: window.location.origin },
});

Testing

  • All tests pass (npx jest --no-coverage — 184 tests)
  • npx tsc --noEmit — zero TypeScript errors
  • npx ng build auth0-angular — builds cleanly
  • npx ng lint — zero errors
  • Built against a local, linked copy of auth0-spa-js and smoke-tested RefreshTokenMode resolve correctly

Summary by CodeRabbit

  • New Features

    • Added documentation for online access using session-bound online refresh tokens, including setup requirements, configuration, validation, and MRRT compatibility.
    • Exposed refresh token mode and related configuration errors through the public library API.
  • Bug Fixes

    • Improved compatibility with the latest authentication client updates.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The Angular SDK upgrades its SPA dependency, re-exports online refresh-token errors and mode symbols, and adds documentation for online access configuration, validation, and MRRT compatibility.

Changes

Online refresh token support

Layer / File(s) Summary
SDK dependency and public exports
package.json, projects/auth0-angular/src/public-api.ts
Updates @auth0/auth0-spa-js to ^2.23.0 and re-exports MissingScopesError, InvalidConfigurationError, and RefreshTokenMode.
Online access documentation
EXAMPLES.md
Documents online refresh tokens, required DPoP and tenant/resource-server settings, Angular configuration examples, validation errors, and MRRT compatibility.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: adding Online Access support with Online Refresh Tokens.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/online_access

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@NandanPrabhu
NandanPrabhu force-pushed the feat/online_access branch 2 times, most recently from c6eb44d to 5a36e7e Compare July 6, 2026 05:55
@NandanPrabhu
NandanPrabhu marked this pull request as ready for review July 10, 2026 05:17
@NandanPrabhu
NandanPrabhu requested a review from a team as a code owner July 10, 2026 05:17
@NandanPrabhu

Copy link
Copy Markdown
Author

Snyk vulnerability check failing — root cause is an Angular major version, not a patch fix

CI is flagging 4 vulnerabilities in @angular/common, @angular/compiler, and @angular/core (currently pinned to ^19.2.21, resolving to 19.2.25):

19.2.25 is already the latest published patch in the 19.x line — there is no 19.x release that fixes these. Snyk's own remediation advice confirms the fix only lands in
20.3.25, i.e. this requires bumping across the Angular 19 → 20 major version boundary.

I tried a narrow fix — bumping only @angular/common, @angular/compiler, and @angular/core to ^20.3.25 while leaving the rest of the @angular/* packages at 19.2.21 — but npm install fails with ERESOLVE: @angular/animations, @angular/platform-browser, @angular/router, @angular/forms, and @angular/compiler-cli all declare a peer dependency on @angular/common@"19.2.25" (and its siblings) at that exact version. Angular's own packages are lockstep-versioned, so they can't be upgraded independently — this isn't fixable without upgrading the full Angular toolchain together.

This means fixing the Snyk finding requires a full Angular 19 → 20 major upgrade (@angular/, @angular/cli, @angular-devkit/build-angular, @angular-eslint/, ng-packagr,
run via ng update), which carries real breaking-change risk for this repo specifically:

  • This repo is still on RxJS 6 (^6.6.7) — Angular 20 likely requires RxJS 7+, which is itself a breaking change for any internal Observable usage.
  • Angular 20 raises the minimum supported Node.js version — CI/build images may need updating.
  • ng update runs automated codemods but the playground app, schematics, and any Angular APIs this SDK depends on need to be re-verified afterward (full rebuild + unit +
    e2e suite).

@NandanPrabhu
NandanPrabhu force-pushed the feat/online_access branch 4 times, most recently from a7a6678 to ef06256 Compare July 17, 2026 04:16
Adds revokeRefreshToken() to AuthService, following the same Observable
pattern as logout() — wraps the underlying Auth0Client call and triggers
AuthState.refresh() so isAuthenticated$/user$/idTokenClaims$ reflect the
result. This is the one gap in Online Access support — refreshTokenMode,
useDpop, and useMrrt already pass through AuthConfig's existing
Auth0ClientOptions config surface.

Also exports RefreshTokenMode, InvalidConfigurationError, MissingScopesError,
and RevokeRefreshTokenOptions from the package root, and documents the
feature in EXAMPLES.md.
Online Access (Online Refresh Tokens) is gated behind Auth0 account team
enablement. Adds the same Early Access notice used for the MFA section.
RefreshTokenMode is not exported until 2.23.0 — the previous ^2.21.0
range let installs resolve to an older minor where RefreshTokenMode is
undefined, breaking refreshTokenMode: RefreshTokenMode.Online at runtime.
Drops the revokeRefreshToken() method, its RevokeRefreshTokenOptions
export, tests, and EXAMPLES.md section added in 2b81160. Online Access
(refreshTokenMode, useDpop, useMrrt) and the other new exports
(RefreshTokenMode, InvalidConfigurationError, MissingScopesError) are
unaffected.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant