w

+651.288.7000

info@intertech.com

l

Request A Quote

Planning & Requirement Analysis

Understanding the needs of the users and stakeholders, defining the scope of the project, and creating a plan that outlines the project’s goals, timeline, resources, and potential risks is just one area in which we specialize.

Architecture & Design

System Structure & User Interface

Creating a high-level architecture and design for the software system is how we help. This includes defining the structure, components, interactions, and interfaces of the system.

Implementation and Development

We help you write the actual code that makes up the software, based on the design specifications. This involves selecting appropriate programming languages, coding standards, and development practices.

Quality Assurance

Quality – Reliability – Security

Our experienced consultants help you implemented practices and processes that ensure the software’s quality, reliability, security, and compliance meets industry standards.

Testing

Manual & Automated

Our experts help you thoroughly testing the software to identify and fix bugs, ensure it meets the requirements, and functions as intended. Testing includes unit testing, integration testing, system testing, and acceptance testing,

Version Control and Collaboration

We help you use version control systems (e.g., Git) to manage changes to the codebase, enabling collaboration among developers and tracking the history of code modifications so your knowledge base stays in one place.

Documentation

Tutorials — How-To — Technical

We help you create comprehensive documentation that explains the software’s functionality, architecture, APIs, and usage instructions to help you facilitate easier understanding and maintenance of the software.

Deployment

Release – Backup – Migration

We help you deploy new and updated software to production environments, ensuring it can handle real-world usage, performance demands, and scalability requirements. This can also include migration and integration services.

Complete Services – Modernization, Process Automation (BPA), Framework Modularization & Microservices, API Customization, Web Framework Development (WFD) & More!

Health & MedTech

Healthcare IT Case Study

Financial Services

High Tech

Manufacturing

Transportation & Logistics

Business & Retail

Ag | Food and Beverage

Government

All Case Studies – Discover why Intertech has been a trusted partner to large & small companies since 1991!

About Intertech

Award Winning Consulting Since 1991

We provide proven co-development and project services that modernize, design, and create new architecture and applications that remove manual tasks, collect and format data for use, and help you determine the right framework or service-based solution for you and your team.
Healthcare IT Case Study

Decision-Maker Insights

Thought Leadership For Leaders

We’ve taken notes since 1991 and understand the difficulties associated with a software project. On this page you will find articles on how to successfully manage scope creep, how to select and work with an IT consulting firm, and the pillars of software development success.

Blog | From The Field

Technical Insights

Our technical blog is one of the primary reasons our clients hire us to help them update or pivot to an new technology. Proof that your partner is proficient and can communicate is essential when taking on a project that has your name on it and has a lasting impact.

AI & BI Resource Library

The Competitive Advantage

Learn everything you need to know about AI, BI, and automation with simple code for BPA results, from planning to the impact on your specific business to the various AI models available. AI has taken the world by storm, and you need to know if it is right for you. Discover the answer here.
Healthcare IT Case Study

Engaging Software Careers With A Team That Collaborates And Likes What It Does!

Intertech is growing! Let Intertech help you find your dream job in software development. Our extensive list of software careers focuses on quality. Consider one of our many software careers and come along with us as we look to another record-breaking year of growth, client satisfaction, and exciting projects with great people working by your side.

Join A Team of
Front-to-Back
Desktop-to-Mobile
Full-Stack
Azure & AWS
Custom Software Development
Professionals!

Angular 4 Tutorial – Handling Refresh Token with New HttpInterceptor

by | Nov 9, 2017

Angular 4 Tutorial
One of the very cool new features that came out in Angular 4.3 was the HttpInterceptor.  Of course this isn’t new to Angular 1 developers who had it all along but now 4.3+ developers have it so that we can add header info, handle responses, catch errors, etc. to all new HttpClient (new in 4.3 also) calls.  All of this fun new stuff is available for import at ‘@angular/common/http’.  This post isn’t an in depth study of how to do an HttpInterceptor.  Instead, it will cover how to update an OAuth authorization token using the refresh token in the HttpInterceptor.

All of the code for this post is available at github.

First, an explanation of what is happening with OAuth and the refresh token.  When you login, you get an authorization token and a refresh token.  The refresh token is configured with a certain timeout.  So when that timeout is reached (regardless of activity) you receive a 401 (Unauthorized) error from your API call.  At that point, your code must attempt to refresh the token by calling the OAuth refreshToken endpoint (with the refresh token string).  It gives you back a new authorization token and a new refresh token.  From then on, you use the new authorization token to make your API calls.

Obviously, the new HttpInterceptor is perfect for this scenario.  It can add the Authorization header to all http calls and catch exceptions to listen for 401 errors.  When the 401 error happens, it can make the refreshToken call and try again with the new authorization token.

Simple UI

The sample project I created on github is just two buttons.  The first button calls one API method that will generate a 401 error.  The second button calls two API methods (run in parallel) that will both generate a 401 error.  It displays the ending status of the method calls on screen.  The hope is that the status will be 200 and not 401.

export class AppComponent {
  message: string;

  constructor(private testService: TestService,
              private authService: AuthService) { }

  test401() {
    this.testService.getData()
      .subscribe((response: any) => {
        this.message = `Worked with status = ${response.status}`;
      },
      error => this.message = `Failed with status = ${error.status}`);
  }

  test401Multiple() {
    let dataObservable$ = this.testService.getData();
    let lookupObservable$ = this.testService.getLookup();

    Observable.forkJoin(dataObservable$, lookupObservable$)
      .subscribe(([dataResult, lookupResult]) => {
        this.message = `Worked with getData status = ${dataResult.status} and getLookup status = ${lookupResult.status}`;
      },
      error => this.message = `Failed with status = ${error.status}`);
  }
}

AuthService

The AuthService will give us the tokens.  I’m making the assumption that you already know how to call your refreshToken method on the server and store the results in session storage or however you want to cache them.  Here is my example code:

import { Observable } from 'rxjs/Observable';
import 'rxjs/add/observable/of';
import 'rxjs/add/operator/delay';

export class AuthService {
    // Assuming this would be cached somehow from a login call.
    public authTokenStale: string = 'stale_auth_token';
    public authTokenNew: string = 'new_auth_token';
    public currentToken: string;

    constructor() {
        this.currentToken = this.authTokenStale;
    }

    getAuthToken() {
        return this.currentToken;
    }

    refreshToken(): Observable<string> {
        /*
            The call that goes in here will use the existing refresh token to call
            a method on the oAuth server (usually called refreshToken) to get a new
            authorization token for the API calls.
        */

        this.currentToken = this.authTokenNew;

        return Observable.of(this.authTokenNew).delay(200);
    }
}

TestService

The TestService will handle the calling of the API.  I created an API here:  http://docs.testerrorresponses.apiary.io/#

import { Injectable } from '@angular/core';
import { HttpClient } from '@angular/common/http';

@Injectable()
export class TestService {
    constructor(private http: HttpClient) { }

    getData() {
        return this.http.get<{status}>('http://private-4002d-testerrorresponses.apiary-mock.com/getDataError401');
    }

    getLookup() {
        return this.http.get<{status}>('http://private-4002d-testerrorresponses.apiary-mock.com/getLookupError401');
    }
}
  • The important thing to note here is that you must use HttpClient (which is new in Angular 4.3+) imported from @angular/common/http
    • The “classic” http client does not trigger the HttpInterceptor
  • The API call simply returns a 401 error

HttpInterceptor

The RequestInterceptorService will implement HttpInterceptor which has only one method:  intercept.  It will add a token to the header on each call and catch any errors that might occur.

@Injectable()
export class RequestInterceptorService implements HttpInterceptor {

    isRefreshingToken: boolean = false;
    tokenSubject: BehaviorSubject<string> = new BehaviorSubject<string>(null);

    constructor(private authService: AuthService) {}

    addToken(req: HttpRequest<any>, token: string): HttpRequest<any> {
        return req.clone({ setHeaders: { Authorization: 'Bearer ' + token }})
    }

    intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpSentEvent | HttpHeaderResponse | HttpProgressEvent | HttpResponse<any> | HttpUserEvent<any>> {
        return next.handle(this.addToken(req, this.authService.getAuthToken()))
            .catch(error => {
                if (error instanceof HttpErrorResponse) {
                    switch ((<HttpErrorResponse>error).status) {
                        case 400:
                            return this.handle400Error(error);
                        case 401:
                            return this.handle401Error(req, next);
                    }
                } else {
                    return Observable.throw(error);
                }
            });
    }
  • We’ll use isRefreshingToken and tokenSubject later
  • addToken will add the Bearer token to the Authorization header
  • In the intercept method, we return next.handle and pass in the cloned request with a header added
    • Get the auth token from the AuthService
  • In the catch, we can handle any and all errors that occur, of primary interest to this example is the 401 Unauthorized error

Handling 401 Unauthorized

The code to handle the 401 error is the most important.

    handle401Error(req: HttpRequest<any>, next: HttpHandler) {
        if (!this.isRefreshingToken) {
            this.isRefreshingToken = true;

            // Reset here so that the following requests wait until the token
            // comes back from the refreshToken call.
            this.tokenSubject.next(null);

            return this.authService.refreshToken()
                .switchMap((newToken: string) => {
                    if (newToken) {
                        this.tokenSubject.next(newToken);
                        return next.handle(this.addToken(this.getNewRequest(req), newToken));
                    }

                    // If we don't get a new token, we are in trouble so logout.
                    return this.logoutUser();
                })
                .catch(error => {
                    // If there is an exception calling 'refreshToken', bad news so logout.
                    return this.logoutUser();
                })
                .finally(() => {
                    this.isRefreshingToken = false;
                });
        } else {
            return this.tokenSubject
                .filter(token => token != null)
                .take(1)
                .switchMap(token => {
                    return next.handle(this.addToken(this.getNewRequest(req), token));
                });
        }
    }

    /*
        This method is only here so the example works.
        Do not include in your code, just use 'req' instead of 'this.getNewRequest(req)'.
    */
    getNewRequest(req: HttpRequest<any>): HttpRequest<any> {
        if (req.url.indexOf('getData') > 0) {
            return new HttpRequest('GET', 'http://private-4002d-testerrorresponses.apiary-mock.com/getData');
        }

        return new HttpRequest('GET', 'http://private-4002d-testerrorresponses.apiary-mock.com/getLookup');
    }

    logoutUser() {
        // Route to the login page (implementation up to you)

        return Observable.throw("");
    }
  • If isRefreshingToken is false (which it is by default) we will enter the code section that calls authService.refreshToken
    • Immediately set isRefreshingToken to true so no more calls come in and call refreshToken again – which we don’t want of course
    • Set the tokenSubject to null so that subsequent API calls will wait until the new token has been retrieved
    • Call authService.refreshToken (this is an Observable that will be returned)
    • When successful, call tokenSubject.next on the new token, this will notify the API calls that came in after the refreshToken call that the new token is available and that they can now use it
    • Return next.handle using the new token
      • For the example, I had to change the call so that it doesn’t generate a 401 error…don’t do this in your code 🙂
  • If isRefreshingToken is true, we will wait until tokenSubject has a non-null value – which means the new token is ready
    • Only take 1 here to avoid returning two – which will cancel the request
    • When the token is available, return the next.handle of the new request
  • When the call to refreshToken completes, in the finally block, reset the isRefreshingToken to false for the next time the token needs to be refreshed
  • Note that no matter which path is taken, we must return an Observable that ends up resolving to a next.handle call so that the original call is matched with the altered call

Results

If I run the application and click the first button, this is what I see for output on screen:

Worked with status = 200

Then the second button, this is the output:

Worked with getData status = 200 and getLookup status = 200

The network tab will be the most interesting thing to see though because it shows a 401 error for all of the initial calls and then the refreshToken call, followed by all of the calls succeeding with 200.  This is the output for the multiple calls button:

  • The first two getLookup and getData calls that give a 200 status are the OPTION calls
  • The second two getLookup and getData calls are the actual successful API GET calls
  • The reason there is no “refreshToken” call here is that I’m simulating it and not making an actual call
    • But in the wild, you should see that right after the 401 error(s)

What if the Refresh Token Times Out?

Some may be wondering at this point what would happen if the refresh token times out.  Usually caused by not making any API calls for whatever the timeout is configured for.  Well, what happens is that you should see a 400 error with an ‘invalid_grant’ message.  So the handle400Error code should most likely log out the user and direct them to the login page.

Here is the code that checks for this situation:

    handle400Error(error) {
        if (error && error.status === 400 && error.error && error.error.error === 'invalid_grant') {
            // If we get a 400 and the error message is 'invalid_grant', the token is no longer valid so logout.
            return this.logoutUser();
        }

        return Observable.throw(error);
    }

HttpClient Caveat

After publishing this article, many of you ran into a circular dependency issue when you tried to inject AuthService into the HttpInterceptor constructor. This was because you added a dependency on HttpClient for the refreshToken call. It turns out that in the HttpInterceptor, you cannot inject anything that has a dependence on HttpClient into the constructor. So to get around it, you simply need to inject the Injector Angular class into the HttpInterceptor constructor and then use that in a JIT way within the injector.

For example, when you want to do the refreshToken call using authService, do the following before the call:

let authService = this.injector.get(AuthService);

…and then proceed to use authService instead of injecting AuthService into the constructor.

We found we had to do this with the Angular Router class as well. Hope this helps!

Conclusion

The new HttpInterceptor is a new feature in Angular 4.3+ that is very powerful and useful in all applications.  As you can see, it nicely handles the OAuth refresh token seamlessly “behind the scenes” so that to the user, everything works smoothly.

35 Comments

  1. Kunle Smart on November 20, 2017 at 6:39 am

    Exactly what I was looking for. It works like charm. Thank you very much.

    • Rich Franzmeier on November 20, 2017 at 9:23 am

      Awesome! Glad it worked for you!

  2. tobbbe on December 8, 2017 at 1:42 am

    How would you make a http request in refreshToken() in authservice? You can’t use DI httpclient because then you’ll get a circular dependency?

    • Rich Franzmeier on December 8, 2017 at 7:07 am

      You shouldn’t get a circular dependency. I’m importing AuthService in the interceptor and importing HttpClient in the AuthService. Which is fine. Maybe you are confusing HttpInterceptor with HttpClient?

      • tobbbe on December 12, 2017 at 5:37 am

        AuthService < HttpClient < HttpInterceptor < AuthService < HttpClient….

        The other stuff is GREAT though thank you!! 😀 Im using Injector to get past the circular dependency

        • Rich Franzmeier on December 12, 2017 at 6:56 am

          Are you providing HttpInterceptor in the AuthService? It should only be provided in the AppModule (or whatever module but only once)

          • tobbbe on December 12, 2017 at 6:59 am

            Nope, but Im guessing HttpClient is providing HttpInterceptor internally? Im only providing HttpInterceptor in the AppModule like you do above 🙂

          • Roshen on December 12, 2017 at 9:43 pm

            Do you have a fix for this Issue ?

          • Rich Franzmeier on December 13, 2017 at 7:47 am

            The fix for this issue is to (in the interceptor service) not inject any service that has a dependency on HttpClient in the constructor. So what you do instead is use Injector in the interceptor service when you need the service that has a dependency on HttpClient. So like this: let serviceWithHttpClientDependency = this.interceptor.get(ServiceWithHttpClientDependency);

          • Roshen on December 18, 2017 at 2:45 am

            on refresh token failure its never going to catch block. How can I handle that 401 error in refresh token.

          • Rich Franzmeier on December 18, 2017 at 7:24 am

            We didn’t need to insert the token for our refresh token call – it is anonymous.

          • Roshen on December 19, 2017 at 12:17 am

            We do require a token for refresh token. On refresh token call failure which is 401 error the code is not able to catch because of this logout is never being called. For reference added the request interceptor, https://plnkr.co/edit/7ASmrALeawlgXWU0EWMq?p=preview

    • Marko Zorman on December 11, 2017 at 11:55 am

      Yes, I was having the same question/problem. To get a new access token from the request token I need to make a http request and if I try using HttpClient I get a circular dependency error.

    • Roshen on December 12, 2017 at 4:24 am

      Have you fixed this ? I am facing the same issue .

    • tobbbe on December 12, 2017 at 5:34 am

      @disqus_NhveFnvSHV:disqus @markozorman:disqus you could use Injector to get HttpClient:
      const http = this.injector.get(HttpClient);
      http.get(`/auth/refreshtoken).subscribe()

      Do not inject HttpClient in the constructor

  3. Tim Johnson on December 10, 2017 at 9:13 pm

    did I miss some config or something? the intercept seems to be called again on the refresh token call thus adding the expired token and failing the request.

    • Rich Franzmeier on December 11, 2017 at 8:18 am

      In our implementation, the refreshToken call allows anonymous calls so it doesn’t need the auth-token.

  4. Roshen on December 12, 2017 at 4:26 am

    Cannot instantiate cyclic dependency! InjectionToken_HTTP_INTERCEPTORS (“[ERROR ->]”): in NgModule AppModule in ./AppModule@-1:-1 ; Zone: ; Task: Promise.then ; Value: Error: Provider parse errors:

    Error while using HttpClient in Auth service to get the refresh token.

    • Alex on December 13, 2017 at 4:30 am

      How you bypass this issue ? Error: Provider parse errors:
      Cannot instantiate cyclic dependency! InjectionToken_HTTP_INTERCEPTORS (“[ERROR ->]”): in NgModule AppModule in ./AppModule@-1:-1

  5. Alex on December 13, 2017 at 4:42 am

    I know the code is great, but how you guys solved InjectionToken_HTTP_INTERCEPTORS (“[ERROR ->]”): in NgModule AppModule in ./AppModule@-1:-1, I’ve tried using injector inside the interceptor but still got this error :((((

    • Alex on December 13, 2017 at 6:03 am

      Finally solved ! @richfranzmeier:disqus

      thank you so much man! I’ve been trying to solve it for 3 days =) Your code is EXACTLY what I needed. All the best to you =)

      • Rich Franzmeier on December 13, 2017 at 8:58 am

        Awesome, thanks for the feedback!

  6. Rich Franzmeier on December 13, 2017 at 8:58 am

    See the updated article regarding the circular dependencies. It’s right before the conclusion section.

  7. Or Hemi on December 21, 2017 at 8:34 am

    How do I cancel the origin req when refresh token req fails? it seems as it is impossible. I need it cause I have a guard waiting for the original req to return and it makes my app stuck. thanks

  8. Victor Bredihin on December 25, 2017 at 10:30 am

    works great, but what if user reload the page when his token already expired? interceptor doesn’t work in that case

  9. Victor Bredihin on December 25, 2017 at 12:42 pm

    how to handle token refresh failure? On error it’s never go to catch block!

  10. Victor Bredihin on December 25, 2017 at 12:45 pm

    // If there is an exception calling ‘refreshToken’, bad news so logout
    this block never reached, when refreshToken respond with error, neither switchMap/catch/finally reached

  11. Roshen on December 25, 2017 at 10:48 pm

    @intertech-c51ce410c124a10e0db5e4b97fc2af39:disqus What If refresh token timed out and returned 401 instead of 400. With the given implementation its not catching the 401 error on refresh token time out.

  12. Ali Ch on January 4, 2018 at 2:48 am

    Hi,
    Nice effort, Please you share how to handle last request after refresh token and pull out from circular dependencies and have you any example or demo project please share. Thanks

  13. Sean Corrigan on January 12, 2018 at 2:39 am

    How would this work for other types of requests that aren’t GET requests?

    • Rich Franzmeier on January 14, 2018 at 2:04 pm

      It should work the same way as GET requests. Are you seeing something different?

  14. Ravi Pandit on January 15, 2018 at 12:04 am

    the refresh token code is not there in the function when token expired .

  15. Sayem on January 22, 2018 at 4:59 am

    Guyzz my problem is when there is only 1 service call it works very smooth. But i have couple of scene where i have 2 independent component who have 2 individual service to call. So when 1st call goes to service and gets 401 access_token error it dont wait for the refresh token service accomplish, the 2nd call also initiate goes to server and gets gets 401 access_token error. Please advise

  16. Murilo Boareto Delefrate on February 16, 2018 at 8:08 am

    Great great article!!!
    But, If the refreshToken() failed, the catch() and finally() are never reach!! How to fix that!?