Merge branch 'main' of https://github.com/damienbod/angular-auth-oidc-client

Author: damienbod

docs/site/angular-auth-oidc-client/docs/documentation/02-configuration.md

@@ -182,7 +182,7 @@ In multi-configuration use-cases, each configuration must be assigned a unique `
 - Type: `string`
 - Required: `true`
 
-This is the `redirect_url` which was configured on the security token service (STS) server.
+This is the url to the Security Token Service (STS). The authority issues tokens.
 
 ### `authWellknownEndpointUrl`
 

projects/angular-auth-oidc-client/src/lib/auth-state/auth-state.service.spec.ts

@@ -367,7 +367,7 @@ describe('Auth State Service', () => {
 
       authStateService.hasIdTokenExpiredAndRenewCheckIsEnabled(config);
 
-      expect(spy).toHaveBeenCalledOnceWith('idToken', config, 30);
+      expect(spy).toHaveBeenCalledOnceWith('idToken', config, 30, undefined);
     });
 
     it('fires event if idToken is expired', () => {

projects/angular-auth-oidc-client/src/lib/auth-state/auth-state.service.ts

@@ -118,14 +118,14 @@ export class AuthStateService {
   }
 
   hasIdTokenExpiredAndRenewCheckIsEnabled(configuration: OpenIdConfiguration): boolean {
-    const { renewTimeBeforeTokenExpiresInSeconds, enableIdTokenExpiredValidationInRenew } = configuration;
+    const { renewTimeBeforeTokenExpiresInSeconds, enableIdTokenExpiredValidationInRenew, disableIdTokenValidation } = configuration;
 
     if (!enableIdTokenExpiredValidationInRenew) {
       return false;
     }
     const tokenToCheck = this.storagePersistenceService.getIdToken(configuration);
 
-    const idTokenExpired = this.tokenValidationService.hasIdTokenExpired(tokenToCheck, configuration, renewTimeBeforeTokenExpiresInSeconds);
+    const idTokenExpired = this.tokenValidationService.hasIdTokenExpired(tokenToCheck, configuration, renewTimeBeforeTokenExpiresInSeconds, disableIdTokenValidation);
 
     if (idTokenExpired) {
       this.publicEventsService.fireEvent<boolean>(EventTypes.IdTokenExpired, idTokenExpired);

projects/angular-auth-oidc-client/src/lib/config/openid-configuration.ts

@@ -175,4 +175,6 @@ export interface OpenIdConfiguration {
    * The refresh token rotation is optional (rfc6749) but is more safe and hence encouraged.
    */
   allowUnsafeReuseRefreshToken?: boolean;
+  /** Disable validation for id_token expiry time */
+  disableIdTokenValidation?: boolean
 }

projects/angular-auth-oidc-client/src/lib/validation/state-validation.service.ts

@@ -51,7 +51,7 @@ export class StateValidationService {
     }
 
     if (callbackContext.authResult.id_token) {
-      const { clientId, issValidationOff, maxIdTokenIatOffsetAllowedInSeconds, disableIatOffsetValidation, ignoreNonceAfterRefresh } =
+      const { clientId, issValidationOff, maxIdTokenIatOffsetAllowedInSeconds, disableIatOffsetValidation, ignoreNonceAfterRefresh, disableIdTokenValidation } =
         configuration;
 
       toReturn.idToken = callbackContext.authResult.id_token;
@@ -164,7 +164,7 @@ export class StateValidationService {
             return of(toReturn);
           }
 
-          if (!this.tokenValidationService.validateIdTokenExpNotExpired(toReturn.decodedIdToken, configuration)) {
+          if (!this.tokenValidationService.validateIdTokenExpNotExpired(toReturn.decodedIdToken, configuration, maxIdTokenIatOffsetAllowedInSeconds, disableIdTokenValidation)) {
             this.loggerService.logWarning(configuration, 'authCallback id token expired');
             toReturn.state = ValidationResult.TokenExpired;
             this.handleUnsuccessfulValidation(configuration);

projects/angular-auth-oidc-client/src/lib/validation/token-validation.service.ts

@@ -68,15 +68,17 @@ export class TokenValidationService {
 
   // id_token C7: The current time MUST be before the time represented by the exp Claim
   // (possibly allowing for some small leeway to account for clock skew).
-  hasIdTokenExpired(token: string, configuration: OpenIdConfiguration, offsetSeconds?: number): boolean {
+  hasIdTokenExpired(token: string, configuration: OpenIdConfiguration, offsetSeconds?: number, disableIdTokenValidation?: boolean): boolean {
     const decoded = this.tokenHelperService.getPayloadFromToken(token, false, configuration);
 
-    return !this.validateIdTokenExpNotExpired(decoded, configuration, offsetSeconds);
+    return !this.validateIdTokenExpNotExpired(decoded, configuration, offsetSeconds, disableIdTokenValidation);
   }
 
   // id_token C7: The current time MUST be before the time represented by the exp Claim
   // (possibly allowing for some small leeway to account for clock skew).
-  validateIdTokenExpNotExpired(decodedIdToken: string, configuration: OpenIdConfiguration, offsetSeconds?: number): boolean {
+  validateIdTokenExpNotExpired(decodedIdToken: string, configuration: OpenIdConfiguration, offsetSeconds?: number, disableIdTokenValidation?: boolean): boolean {
+    if (disableIdTokenValidation) return true;
+
     const tokenExpirationDate = this.tokenHelperService.getTokenExpirationDate(decodedIdToken);
     offsetSeconds = offsetSeconds || 0;