From 074101e836698503ec6ae38967afa6aa425e07ec Mon Sep 17 00:00:00 2001 From: Niek Otten Date: Wed, 1 Jul 2026 13:26:42 +0200 Subject: [PATCH] fix(portal-self-service): run checkAuth() at startup to end the login redirect loop (refs #67) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without an app-init auth check, the DigiD callback (?code=…) was never processed, so the guard kept seeing 'not authenticated' and re-triggered login — an infinite redirect loop. Add withAppInitializerAuthCheck() so checkAuth() runs before the router and guard, establishing the session on the callback. Co-Authored-By: Claude Opus 4.8 (1M context) --- libs/auth/src/lib/digid-auth.providers.ts | 38 ++++++++++++++--------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/libs/auth/src/lib/digid-auth.providers.ts b/libs/auth/src/lib/digid-auth.providers.ts index 1bbf9cc..0f1cb21 100644 --- a/libs/auth/src/lib/digid-auth.providers.ts +++ b/libs/auth/src/lib/digid-auth.providers.ts @@ -1,5 +1,10 @@ import { EnvironmentProviders, makeEnvironmentProviders } from '@angular/core'; -import { authInterceptor, LogLevel, provideAuth } from 'angular-auth-oidc-client'; +import { + authInterceptor, + LogLevel, + provideAuth, + withAppInitializerAuthCheck, +} from 'angular-auth-oidc-client'; import { AuthService } from './auth.service'; import { DigiadAuthService } from './digid-auth.service'; @@ -19,20 +24,25 @@ export interface DigiadAuthOptions { */ export function provideDigiadAuth(options: DigiadAuthOptions): EnvironmentProviders { return makeEnvironmentProviders([ - provideAuth({ - config: { - authority: options.authority, - redirectUrl: options.redirectUrl, - postLogoutRedirectUri: options.redirectUrl, - clientId: 'big-portal', - scope: 'openid profile', - responseType: 'code', - silentRenew: true, - useRefreshToken: true, - secureRoutes: [options.secureApiOrigin], - logLevel: LogLevel.Warn, + provideAuth( + { + config: { + authority: options.authority, + redirectUrl: options.redirectUrl, + postLogoutRedirectUri: options.redirectUrl, + clientId: 'big-portal', + scope: 'openid profile', + responseType: 'code', + silentRenew: true, + useRefreshToken: true, + secureRoutes: [options.secureApiOrigin], + logLevel: LogLevel.Warn, + }, }, - }), + // Run checkAuth() at startup so the DigiD callback (?code=…) is processed before the router + // and guard run — without it the guard sees "not authenticated" and re-triggers login (loop). + withAppInitializerAuthCheck(), + ), { provide: AuthService, useClass: DigiadAuthService }, ]); }