Okta Angular SDK
Okta Angular SDK builds on top of the Okta Auth SDK. This SDK adds integration with @angular/router and provides additional logic and components designed to help you quickly add authentication and authorization to your Angular single-page web application.
With the Okta Auth SDK, you can:
- Login and logout from Okta using the OAuth 2.0 API
- Retrieve user information
- Determine authentication status
- Validate the current user's session
All of these features are supported by this SDK. Additionally, using this SDK, you can:
- Add "protected" routes, which will require authentication before render
- Define custom logic/behavior when authentication is required
- Subscribe to changes in authentication state using an Observable property
- Provide an instance of the Auth service to your components using Dependency Injection
This SDK does not provide any UI components.
This library currently supports:
This library has been tested for compatibility with the following Angular versions: 4, 5, 6, 7, 8, 9
- If you do not already have a Developer Edition Account, you can create one at https://developer.okta.com/signup/.
- An Okta Application, configured for Single-Page App (SPA) mode. This is done from the Okta Developer Console and you can find instructions here. When following the wizard, use the default properties. They are are designed to work with our sample applications.
- Angular Quickstart
- If you don't have an Angular app, or are new to Angular, please start with this guide. It will walk you through the creation of an Angular app, creating routes, and other application development essentials.
- Okta Sample Application
- A fully functional sample application.
- Okta Guide: Sign users into your single-page application
- Step-by-step guide to integrating an existing Angular application with Okta login.
This library is available through npm. To install it, simply add it to your project:
npm install --save @okta/okta-angular
An Angular InjectionToken used to configure the OktaAuthService. This value must be provided by your own application. It is initialized by a plain object which can have the following properties:
issuer(required): The OpenID Connect
clientId(required): The OpenID Connect
redirectUri(required): Where the callback is hosted
postLogoutRedirectUri| Specify the url where the browser should be redirected after logout. This url must be added to the list of
Logout redirect URIson the application's
scope(deprecated in v1.2.2): Use
scopes(optional): Reserved for custom claims to be returned in the tokens. Defaults to
['openid'], which will only return the
subclaim. To obtain more information about the user, use
openid profile. For a list of scopes and claims, please see Scope-dependent claims for more information.
responseType(optional): Desired token grant types. Default:
['id_token', 'token']. For PKCE flow, this should be left undefined or set to
true, PKCE flow will be used
onAuthRequired(optional): - callback function. Called when authentication is required. If not supplied,
okta-angularwill redirect directly to Okta for authentication. This is triggered when:
- login is called
- A route protected by
OktaAuthGuardis accessed without authentication
onSessionExpired(optional) - callback function. Called when the Okta SSO session has expired or was ended outside of the application. This SDK adds a default handler which will call login to initiate a login flow. Passing a function here will disable the default handler.
isAuthenticated(optional) - callback function. By default,
OktaAuthService.isAuthenticatedwill return true if both
getAccessToken()return a value. Setting a
isAuthenticatedfunction on the config will skip the default logic and call the supplied function instead. The function should return a Promise and resolve to either true or false.
tokenManager(optional): An object containing additional properties used to configure the internal token manager. See AuthJS TokenManager for more detailed information.
autoRenew(optional): By default, the library will attempt to renew expired tokens. When an expired token is requested by the library, a renewal request is executed to update the token. If you wish to to disable auto renewal of tokens, set autoRenew to false.
truethen only "secure" https cookies will be stored. This option will prevent cookies from being stored on an HTTP connection. This option is only relevant if
storageis set to
cookie, or if the client browser does not support
sessionStorage, in which case
cookiestorage will be used.
storage(optional): Specify the type of storage for tokens. The types are:
The top-level Angular module which provides these components and services:
OktaAuthGuard- A navigation guard using CanActivate to grant access to a page only after successful authentication.
OktaCallbackComponent- Handles the implicit flow callback by parsing tokens from the URL and storing them automatically.
OktaLoginRedirectComponent- Redirects users to the Okta Hosted Login Page for authentication.
OktaAuthService- Highest-level service containing the
Routes are protected by the
OktaAuthGuard, which verifies there is a valid
accessToken stored. To ensure the user has been authenticated before accessing your route, add the
canActivate guard to one of your routes:
If a user does not have a valid session, they will be redirected to the Okta Login Page for authentication. Once authenticated, they will be redirected back to your application's protected page.
Handles the callback after the redirect. By default, it parses the tokens from the uri, stores them, then redirects to
/. If a protected route (using
OktaAuthGuard) caused the redirect, then the callback redirects to the protected route. For more advanced cases, this component can be copied to your own source tree and modified as needed.
You should define a route to handle the callback URL (
/implicit/callback by default). Also add
OktaCallbackComponent to the declarations section of in your
OktaLoginRedirect component redirects the user's browser to the Okta-hosted login page for your organization. For more advanced cases, this component can be copied to your own source tree and modified as needed.
Using a custom login-page
okta-angular SDK supports the session token redirect flow for custom login pages. For more information, see the basic Okta Sign-in Widget functionality.
To handle the session-token redirect flow, you can set an
onAuthRequired callback by adding a
data attribute directly to your
Alternatively, set this behavior globally by adding it to your configuration object:
In your components, your can take advantage of all of
okta-angular's features by importing the
OktaAuthService. The example below shows connecting two buttons to handle login and logout:
onAuthRequired function if it was set on the initial configuration. Otherwise, it will call
loginRedirect. This method accepts a
fromUri parameter to push the user to after successful authentication, and an optional
For more information on
additionalParams, see the oktaAuth.loginRedirect method below.
Performs a full page redirect to Okta based on the initial configuration. This method accepts a
fromUri parameter to push the user to after successful authentication.
The optional parameter
additionalParams is mapped to the AuthJS OpenID Connect Options. This will override any existing configuration. As an example, if you have an Okta
sessionToken, you can bypass the full-page redirect by passing in this token. This is recommended when using the Okta Sign-In Widget. Simply pass in a
sessionToken into the
loginRedirect method follows:
Returns a promise that resolves
true if there is a valid access token or ID token.
An observable that returns true/false when the authenticate state changes. This will happen after a successful login via
oktaAuth.handleAuthentication() or logout via
Returns a promise that will resolve with the result of the OpenID Connect
/userinfo endpoint if an access token is provided, or returns the claims of the ID token if no access token is available. The returned claims depend on the requested response type, requested scopes, and authorization server policies. For more information see documentation for the UserInfo endpoint, ID Token Claims, and Customizing Your Authorization Server.
Returns a promise that returns the access token string from storage (if it exists).
Returns a promise that returns the ID token string from storage (if it exists).
Parses the tokens returned as hash fragments in the OAuth 2.0 Redirect URI, then redirects to the URL specified when calling
loginRedirect. Returns a promise that will be resolved when complete.
Terminates the user's session in Okta and clears all stored tokens. Accepts an optional
uri parameter to push the user to after logout.
Used to capture the current URL state before a redirect occurs. Used primarily for custom
canActivate navigation guards.
Returns the stored URI and query parameters stored when the
setFromUri was used.
Returns the internal TokenManager.
We welcome contributions to all of our open-source packages. Please see the contribution guide to understand how to structure a contribution.
Installing dependencies for contributions
We use yarn for dependency management when developing this package:
||Start the sample app using the SDK|
||Run unit and integration tests|
||Run eslint linting tests|