ember-simple-auth-oidc v4 includes an upgrade to Ember v4 and Ember Simple Auth v4, which entails the removal of the deprecated usage of mixins. This results in a number of breaking changes, which are described in the following sections. Refer to the Ember Simple Auth and Ember v4 documentation for more information.
In addition, the access token is no longer refreshed through a timer-based approach and requires an explicit refresh to ensure that the access token hasn't expired. Although a refresh is ensured by the addon in certain scenarios, the consuming application needs to be aware of these behavioral changes, especially when performing authorized requests.
The mixin AuthenticatedRouteMixin from Ember Simple Auth should no longer be
used. Instead, authenticated routes can make use of the method session.requireAuthentication
of the session service. It ensures that unauthenticated access is prohibited on
the route and any of its subroutes, in which case the user is redirected to the
specified authentication route. If the access is authenticated, it refreshes
the access token before accessing the authenticated route.
// app/routes/protected.js
import Route from "@ember/routing/route";
- import AuthenticatedRouteMixin from "ember-simple-auth/mixins/authenticated-route-mixin";
+ import { inject as service } from "@ember/service";
- export default class ProtectedRoute extends Route.extend(
- AuthenticatedRouteMixin
- ) {}
+ export default class ProtectedRoute extends Route {
+ @service session;
+
+ beforeModel(transition) {
+ this.session.requireAuthentication(transition, "login");
+ }
+ }The OIDCApplicationRouteMixin is no longer needed, it's functionality is now
handled through the session service. The mixin and the properties
routeAfterAuthentication and routeIfAlreadyAuthenticated can be removed.
// app/routes/application.js
import Route from "@ember/routing/route";
- import OIDCApplicationRouteMixin from "ember-simple-auth-oidc/mixins/oidc-application-route-mixin";
- export default class ApplicationRoute extends Route.extend(
- OIDCApplicationRouteMixin
- ) {
- routeAfterAuthentication = "protected";
- routeIfAlreadyAuthenticated = "protected";
+ export default class ApplicationRoute extends Route {}Instead of using the OIDCAuthenticationRouteMixin, the authentication
route should extend from the OIDCAuthenticationRoute. It handles the OIDC
authentication process as before and ensures that access to the route is
prohibited to already authenticated users.
// app/routes/login.js
- import Route from "@ember/routing/route";
- import OIDCAuthenticationRouteMixin from "ember-simple-auth-oidc/mixins/oidc-authentication-route-mixin";
+ import OIDCAuthenticationRoute from "ember-simple-auth-oidc/routes/oidc-authentication";
- export default class LoginRoute extends Route.extend(
- OIDCAuthenticationRouteMixin
- ) {}
+ export default class LoginRoute extends OIDCAuthenticationRoute {}The mixin OIDCAdapterMixin is no longer needed and can be replaced by either
extending the application adapter from the OIDCJSONAPIAdapter or
OIDCRESTAdapter. The provided adapters ensure that outgoing Ember Data
requests first trigger an access token refresh, to ensure that the authorization
token is up-to-date. By default, the adapters simply provide the authorization
headers necessary to authorize the Ember Data requests. The headers are also
available through the session service and can be used when overriding the
adapter's headers. The provided adapters contain the necessary logic to handle
401 responses appropriately.
// app/adapters/application.js
- import JSONAPIAdapter from "@ember-data/adapter/json-api";
- import OIDCAdapterMixin from "ember-simple-auth-oidc/mixins/oidc-adapter-mixin";
+ import { inject as service } from "@ember/service";
+ import OIDCJSONAPIAdapter from "ember-simple-auth-oidc/adapters/oidc-json-api-adapter";
- export default class ApplicationAdapter extends JSONAPIAdapter.extend(
- OIDCAdapterMixin
- ) {}
+ export default class ApplicationAdapter extends OIDCJSONAPIAdapter {
+ @service session;
+
+ get headers() {
+ return { ...this.session.headers, "Content-Language": "en-us" };
+ }
+ }Ember Simple Auth encourages setting up the session service in the beforeModel
of the application route starting with version 4.1.0.
For more information visit their upgrade to v4 guide.
The new implementation of OIDCJSONAPIAdapter and OIDCRESTAdapter include
the usage of Proxy
to ensure that an access token refresh is performed before issuing Ember Data
requests. When using these adapters and requiring IE11 support, a polyfill needs
to be provided.
Previous implementations included a timer-based access token refresh mechanism,
which ensured that the access token never expired as long as a valid refresh
token was available. The new implementation automatically refreshes the access
token before transitioning to an authenticated route and before issuing Ember
Data requests. When other kinds of authorized requests are performed, a token
refresh needs to be ensured before making the request, by performing the task
session.refreshAuthentication provided through the session service. This will
ensure that the access token is valid and will prevent any unnecessary 401
responses.