Current Behavior:
We were previously using AuthService.login() with JWT tokens, and everything worked fine.
Recently, we switched to using Reference Tokens (opaque tokens) on the backend to support real-time token revocation and higher security.
Backend now returns an access_token (reference token) and refresh_token via the /connect/token endpoint.
Exception message and full stack trace:
Steps to reproduce the issue:
5 Answer(s)
-
0
The ABP Angular AuthService and related infrastructure are designed to work with JWT tokens, as they rely on decoding the token to extract user information (such as in RememberMeService and other identity-related services). Reference tokens (opaque tokens) cannot be parsed on the client side, which leads to runtime errors when the Angular code attempts to decode or extract claims from them.
Key Points and Recommendations:
AuthService.login() and Reference Tokens:
- The built-in ABP Angular AuthService.login() expects JWTs and will attempt to parse them. Using reference tokens (opaque tokens) will cause errors in services that expect a JWT structure.
- There is currently no official support in ABP Angular for using reference tokens with AuthService.login() without encountering these issues.
RememberMeService and Token Parsing:
- RememberMeService and other ABP Angular services assume the access token is a JWT and will fail with reference tokens.
- There is no configuration option to disable or override this behavior out-of-the-box.
Recommended Angular-side Implementation:
- You must bypass or replace the ABP Angular AuthService and related token-handling services if you want to use reference tokens.
- Implement your own authentication service that:
- Stores the opaque access_token and refresh_token securely (e.g., in memory or secure storage).
- Does not attempt to decode the access_token.
- Handles token refresh and revocation using the refresh_token and backend endpoints.
- You can use loginUsingGrant() for manual token handling, but you must also implement your own user identity management (e.g., fetch user info from a /me endpoint after login).
Summary of Steps:
- Do not use AuthService.login() or RememberMeService with reference tokens.
- Implement a custom authentication flow:
- Call the /connect/token endpoint directly.
- Store tokens securely.
- Fetch user info from the backend as needed.
- Handle token refresh and revocation manually.
Alternative:
- If you require the built-in ABP Angular authentication and identity features, you must use JWT tokens.
No verified source available for this specific query. This approach aligns with common ABP conventions, but specific official documentation for this exact scenario is not available.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
Hello Team,
Thanks for confirming that AuthService.login() only supports JWT-based flows.
However, our **main concern is not just login, but secure revocation of access tokens during logout or re-login. This is a critical requirement for us.
We’ve already raised another ticket related to this: How-to-Invalidate-Access-Token-on-Logout https://abp.io/support/questions/9531/How-to-Invalidate-Access-Token-on-Logout#answer-3a1abddd-345b-38e4-45e8-b809897a59ba
We’ve implemented token revocation correctly at the backend using OpenIddict.
But since we're using JWT tokens, the token is still considered valid on the resource server after revocation, because:
- JWT validation is stateless
- No DB call or introspection occurs per request So even if the token is revoked, any service or API with the previously issued JWT still allows access until the token expires.
We need guidance on:
- How to properly handle login + token storage in Angular when using Reference Tokens
- Whether ABP.IO plans to support AuthService.login() with Reference Tokens
- Recommended best practice for securely revoking tokens (especially on login/logout scenarios) in both frontend and backend
- Whether we must fully switch to loginUsingGrant() + custom token storage in Angular apps using confidential clients
Looking forward to your input, as this is urgent and security-critical for us. Please let me know if can have a call so that can share the code.
Thanks
-
0
Hi Yaduraj
Let me address your questions one by one:
1. Proper login + token storage in Angular with Reference Tokens
- Currently, the ABP Angular
AuthService.login()and related infrastructure expect JWT tokens and attempt to decode them. Since reference tokens are opaque, they cannot be decoded on the client side. - You need to implement a custom authentication flow:
- Call the
/connect/tokenendpoint directly (e.g., password or authorization code flow). - Store the returned
access_token(opaque) andrefresh_tokensecurely. Prefer in-memory orsessionStoragefor the access token to reduce XSS exposure. - Fetch user profile/claims from an API endpoint (
/connect/userinfoor/api/account/my-profile) instead of decoding the token. - Handle token refresh and revocation manually in your Angular app.
- Call the
2. ABP.IO plans for
AuthService.login()with Reference Tokens- There is no built-in support for reference tokens in
AuthService.login()at the moment. All built-in identity services assume JWTs. - We may consider adding a “token-agnostic” mode in the future, but this is not on the short-term roadmap.
- For now, the recommended approach is a custom implementation on the Angular side.
3. Best practice for secure token revocation
- Backend: Use the
/connect/revocationendpoint for both access and refresh tokens. With reference tokens, revocation is immediate, since resource servers perform introspection on every request. - Frontend: On logout or re-login, revoke all active tokens and clear local storage/memory to prevent reuse. For confidential clients, ensure the
client_secretis never exposed in browser code.
4. Switching to
loginUsingGrant()+ custom token storage- Yes — if you want to use reference tokens in Angular today, you must bypass
AuthService.login()and either useloginUsingGrant()or call the token endpoint manually. - This gives you full control over storage, refresh, and revocation without hitting the JWT-specific assumptions in the built-in services.
AuthService.login()does not currently support this scenario. If you prefer built-in features, you would need to switch back to JWTs and use short-lived tokens or backchannel checks to approximate immediate revocation.If you would like, we can provide you with a sample implementation project demonstrating how to handle login, token storage, refresh, and revocation in Angular using reference tokens.
Angular Team @ Abp Framework
- Currently, the ABP Angular
-
0
Hello @Yaduraj.Shakti Can you give me email address for i send example project
-
0
Hi @fahrigedik,
Can you create a github repo and post your project there.
