Activities of "fahrigedik"

Hello @Yaduraj.Shakti Can you give me email address for i send example project

Hi Yaduraj

Let me address your questions one by one:

1. Proper login + token storage in Angular with Reference Tokens

• Currently, the ABP Angular AuthService.login() and related infrastructure expect JWT tokens and attempt to decode them. Since reference tokens are opaque, they cannot be decoded on the client side.
• You need to implement a custom authentication flow:
  • Call the /connect/token endpoint directly (e.g., password or authorization code flow).
  • Store the returned access_token (opaque) and refresh_token securely. Prefer in-memory or sessionStorage for the access token to reduce XSS exposure.
  • Fetch user profile/claims from an API endpoint (/connect/userinfo or /api/account/my-profile) instead of decoding the token.
  • Handle token refresh and revocation manually in your Angular app.

2. ABP.IO plans for AuthService.login() with Reference Tokens

• There is no built-in support for reference tokens in AuthService.login() at the moment. All built-in identity services assume JWTs.
• We may consider adding a “token-agnostic” mode in the future, but this is not on the short-term roadmap.
• For now, the recommended approach is a custom implementation on the Angular side.

3. Best practice for secure token revocation

• Backend: Use the /connect/revocation endpoint for both access and refresh tokens. With reference tokens, revocation is immediate, since resource servers perform introspection on every request.
• Frontend: On logout or re-login, revoke all active tokens and clear local storage/memory to prevent reuse. For confidential clients, ensure the client_secret is never exposed in browser code.

4. Switching to loginUsingGrant() + custom token storage

• Yes — if you want to use reference tokens in Angular today, you must bypass AuthService.login() and either use loginUsingGrant() or call the token endpoint manually.
• This gives you full control over storage, refresh, and revocation without hitting the JWT-specific assumptions in the built-in services.

AuthService.login() does not currently support this scenario. If you prefer built-in features, you would need to switch back to JWTs and use short-lived tokens or backchannel checks to approximate immediate revocation.

If you would like, we can provide you with a sample implementation project demonstrating how to handle login, token storage, refresh, and revocation in Angular using reference tokens.

Angular Team @ Abp Framework

[pablo@ccalp.net] said: Yeah, I saw that alread, got the guard code from the branch and tested it, didn't work.

Hi Pablo,

Thanks for the details you've shared so far.

Could you please share the example where you tested the asyncAuthGuard?
This guard was specifically designed to help prevent the login redirect loop issue, especially after upgrading to v9.2.x.

We’d like to review your usage and see if anything might be missing or misaligned with the intended pattern.

A minimal example (GitHub repo or zip) would be very helpful.

Thanks,
Angular Team @ Volosoft