Angular 2/5 JWT Authentication Example & Tutorial
Tutorial built with Angular 5.2.11
Other versions available:
- Angular: Angular 14, 10, 9, 8, 7, 6
- React: React 18 + Redux, React + Recoil, React 16 + Redux, React + RxJS
- Vue: Vue 3 + Pinia, Vue.js + Vuex
- Next.js: Next.js 11
- AngularJS: AngularJS
- ASP.NET Core: Blazor WebAssembly
The following is a custom example of how to setup a simple login page using Angular 2/5 and JWT authentication.
Project is available on GitHub at https://github.com/cornflourblue/angular2-jwt-authentication-example.
Here it is in action: (See on StackBlitz at https://stackblitz.com/edit/angular-2-5-jwt-authentication-example)
- 31 May 2018 - Updated to Angular 5.2.11 and to the new HttpClient
- 23 May 2018 - For an updated version built with Angular 6 check out Angular 6 - JWT Authentication Example & Tutorial.
- 07 Dec 2017 - For the same example built with React and Redux go to React + Redux - JWT Authentication Tutorial & Example
- 23 Nov 2017 - Updated to Angular 5.0.3
- 20 May 2017 - Updated to Angular 4.1.3
- 16 Mar 2017 - Updated to Angular 2.4.9
- 19 Nov 2016 - Updated to Angular 2.2.1
- 29 Sep 2016 - For an extended example that includes user registration go to Angular 2 User Registration and Login Example & Tutorial
- 21 Sep 2016 - Updated to Angular 2.0 Final
Running the Angular 2/5 JWT Login Example Locally
- Install NodeJS and NPM from https://nodejs.org/en/download/.
- Download the project source code from https://github.com/cornflourblue/angular2-jwt-authentication-example
- Install all required npm packages by running
npm installfrom the command line in the project root folder (where the package.json is located). - Start the application by running
npm startfrom the command line in the project root folder.
Angular 2/5 Project Structure
I used the Angular 2 quickstart project as a base for the application, it's written in TypeScript and uses systemjs for loading modules. If you're new to angular 2 I'd recommend checking out the quickstart as it provides details on the project tooling and configuration files which aren't covered in this post.
The project and code structure mostly follows the recommendations in the official Angular 2 style guide, with my own tweaks here and there.
Each feature has it's own folder (home & login), other code such as services, models, guards etc are placed in folders prefixed with an underscore to easily differentiate them and group them together at the top of the folder structure.
- app
- _guards
- auth.guard.ts
- index.ts
- _helpers
- fake-backend.ts
- jwt.interceptor.ts
- index.ts
- _models
- user.ts
- index.ts
- _services
- authentication.service.ts
- user.service.ts
- index.ts
- home
- home.component.html
- home.component.ts
- index.ts
- login
- login.component.html
- login.component.ts
- index.ts
- app.component.html
- app.component.ts
- app.module.ts
- app.routing.ts
- main.ts
- _guards
- app.css
- index.html
- package.json
- system.config.js
- tsconfig.json
Below are brief descriptions and the code for the main files of the example application, all files are available in the github project linked at the top of the post.
Angular 2/5 Auth Guard
The auth guard is used to prevent unauthenticated users from accessing restricted routes, it's used in app.routing.ts to protect the home page route. For more information about angular 2 guards you can check out this post on the thoughtram blog.
import { Injectable } from '@angular/core';
import { Router, CanActivate, ActivatedRouteSnapshot, RouterStateSnapshot } from '@angular/router';
@Injectable()
export class AuthGuard implements CanActivate {
constructor(private router: Router) { }
canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot) {
if (localStorage.getItem('currentUser')) {
// logged in so return true
return true;
}
// not logged in so redirect to login page
this.router.navigate(['/login'], { queryParams: { returnUrl: state.url }});
return false;
}
}Angular 2/5 Fake Backend Provider
The fake backend provider enables the example to run without a backend / backendless, I created it so I could focus the example and tutorial just on the angular 2 code, and also so it works on StackBlitz.
It's implemented using the HttpInterceptor class that was introduced in Angular 4.3 as part of the new HttpClientModule. By extending the HttpInterceptor class you can create a custom interceptor to modify http requests before they get sent to the server. In this case the FakeBackendInterceptor intercepts certain requests based on their URL and provides a fake response instead of going to the server.
import { Injectable } from '@angular/core';
import { HttpRequest, HttpResponse, HttpHandler, HttpEvent, HttpInterceptor, HTTP_INTERCEPTORS } from '@angular/common/http';
import { Observable } from 'rxjs/Observable';
import 'rxjs/add/observable/of';
import 'rxjs/add/observable/throw';
import 'rxjs/add/operator/delay';
import 'rxjs/add/operator/mergeMap';
import 'rxjs/add/operator/materialize';
import 'rxjs/add/operator/dematerialize';
@Injectable()
export class FakeBackendInterceptor implements HttpInterceptor {
constructor() { }
intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
let testUser = { id: 1, username: 'test', password: 'test', firstName: 'Test', lastName: 'User' };
// wrap in delayed observable to simulate server api call
return Observable.of(null).mergeMap(() => {
// authenticate
if (request.url.endsWith('/api/authenticate') && request.method === 'POST') {
if (request.body.username === testUser.username && request.body.password === testUser.password) {
// if login details are valid return 200 OK with a fake jwt token
return Observable.of(new HttpResponse({ status: 200, body: { token: 'fake-jwt-token' } }));
} else {
// else return 400 bad request
return Observable.throw('Username or password is incorrect');
}
}
// get users
if (request.url.endsWith('/api/users') && request.method === 'GET') {
// check for fake auth token in header and return users if valid, this security is implemented server side in a real application
if (request.headers.get('Authorization') === 'Bearer fake-jwt-token') {
return Observable.of(new HttpResponse({ status: 200, body: [testUser] }));
} else {
// return 401 not authorised if token is null or invalid
return Observable.throw('Unauthorised');
}
}
// pass through any requests not handled above
return next.handle(request);
})
// call materialize and dematerialize to ensure delay even if an error is thrown (https://github.com/Reactive-Extensions/RxJS/issues/648)
.materialize()
.delay(500)
.dematerialize();
}
}
export let fakeBackendProvider = {
// use fake backend in place of Http service for backend-less development
provide: HTTP_INTERCEPTORS,
useClass: FakeBackendInterceptor,
multi: true
};Angular 2/5 JWT Interceptor
The JWT Interceptor intercepts http requests from the application to add a JWT auth token to the Authorization header if the user is logged in.
It's implemented using the HttpInterceptor class that was introduced in Angular 4.3 as part of the new HttpClientModule. By extending the HttpInterceptor class you can create a custom interceptor to modify http requests before they get sent to the server.
Http interceptors are added to the request pipeline in the providers section of the app.module.ts file.
import { Injectable } from '@angular/core';
import { HttpRequest, HttpHandler, HttpEvent, HttpInterceptor } from '@angular/common/http';
import { Observable } from 'rxjs/Observable';
@Injectable()
export class JwtInterceptor implements HttpInterceptor {
intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
// add authorization header with jwt token if available
let currentUser = JSON.parse(localStorage.getItem('currentUser'));
if (currentUser && currentUser.token) {
request = request.clone({
setHeaders: {
Authorization: `Bearer ${currentUser.token}`
}
});
}
return next.handle(request);
}
}Angular 2/5 User Model
The user model is a small class that defines the properties of a user.
export class User {
username: string;
password: string;
firstName: string;
lastName: string;
}Angular 2/5 JWT Authentication Service
The authentication service is used to login and logout of the application, to login it posts the users credentials to the api and checks the response for a JWT token, if there is one it means authentication was successful so the user details including the token are added to local storage.
The logged in user details are stored in local storage so the user will stay logged in if they refresh the browser and also between browser sessions until they logout. If you don't want the user to stay logged in between refreshes or sessions the behaviour could easily be changed by storing user details somewhere less persistent such as session storage or in a property of the authentication service.
import { Injectable } from '@angular/core';
import { HttpClient, HttpHeaders } from '@angular/common/http';
import { Observable } from 'rxjs/Observable';
import 'rxjs/add/operator/map'
@Injectable()
export class AuthenticationService {
constructor(private http: HttpClient) { }
login(username: string, password: string) {
return this.http.post<any>('/api/authenticate', { username: username, password: password })
.map(user => {
// login successful if there's a jwt token in the response
if (user && user.token) {
// store user details and jwt token in local storage to keep user logged in between page refreshes
localStorage.setItem('currentUser', JSON.stringify(user));
}
return user;
});
}
logout() {
// remove user from local storage to log user out
localStorage.removeItem('currentUser');
}
}Angular 2/5 User Service
The user service contains a method for getting all users from the api, I included it to demonstrate accessing a secure api endpoint with the http authorization header set after logging in to the application, the auth header is set with a JWT token with the JWT Interceptor above. The secure endpoint in the example is a fake one implemented in the fake backend provider above.
import { Injectable } from '@angular/core';
import { HttpClient } from '@angular/common/http';
import { User } from '../_models/index';
@Injectable()
export class UserService {
constructor(private http: HttpClient) { }
getAll() {
return this.http.get<User[]>('/api/users');
}
}Angular 2/5 Home Component Template
The home component template contains html and angular 2 template syntax for displaying a simple welcome message, a list of users and a logout link.
<div class="col-md-6 col-md-offset-3">
<h1>Home</h1>
<p>You're logged in with JWT!!</p>
<div>
Users from secure api end point:
<ul>
<li *ngFor="let user of users">{{user.firstName}} {{user.lastName}}</li>
</ul>
</div>
<p><a [routerLink]="['/login']">Logout</a></p>
</div>Angular 2/5 Home Component
The home component defines an angular 2 component that gets all users from the user service and makes them available to the template via the 'users' property.
import { Component, OnInit } from '@angular/core';
import 'rxjs/add/operator/first';
import { User } from '../_models/index';
import { UserService } from '../_services/index';
@Component({
moduleId: module.id,
templateUrl: 'home.component.html'
})
export class HomeComponent implements OnInit {
users: User[] = [];
constructor(private userService: UserService) { }
ngOnInit() {
// get users from secure api end point
this.userService.getAll()
.first()
.subscribe(users => {
this.users = users;
});
}
}Angular 2/5 Login Component Template
The login component template contains a login form with username and password fields. It displays validation messages for invalid fields when the submit button is clicked. On form submit the login() method is called.
<div class="col-md-6 col-md-offset-3">
<div class="alert alert-info">
Username: test<br />
Password: test
</div>
<h2>Login</h2>
<form name="form" (ngSubmit)="f.form.valid && login()" #f="ngForm" novalidate>
<div class="form-group" [ngClass]="{ 'has-error': f.submitted && !username.valid }">
<label for="username">Username</label>
<input type="text" class="form-control" name="username" [(ngModel)]="model.username" #username="ngModel" required />
<div *ngIf="f.submitted && !username.valid" class="help-block">Username is required</div>
</div>
<div class="form-group" [ngClass]="{ 'has-error': f.submitted && !password.valid }">
<label for="password">Password</label>
<input type="password" class="form-control" name="password" [(ngModel)]="model.password" #password="ngModel" required />
<div *ngIf="f.submitted && !password.valid" class="help-block">Password is required</div>
</div>
<div class="form-group">
<button [disabled]="loading" class="btn btn-primary">Login</button>
<img *ngIf="loading" src="data:image/gif;base64,R0lGODlhEAAQAPIAAP///wAAAMLCwkJCQgAAAGJiYoKCgpKSkiH/C05FVFNDQVBFMi4wAwEAAAAh/hpDcmVhdGVkIHdpdGggYWpheGxvYWQuaW5mbwAh+QQJCgAAACwAAAAAEAAQAAADMwi63P4wyklrE2MIOggZnAdOmGYJRbExwroUmcG2LmDEwnHQLVsYOd2mBzkYDAdKa+dIAAAh+QQJCgAAACwAAAAAEAAQAAADNAi63P5OjCEgG4QMu7DmikRxQlFUYDEZIGBMRVsaqHwctXXf7WEYB4Ag1xjihkMZsiUkKhIAIfkECQoAAAAsAAAAABAAEAAAAzYIujIjK8pByJDMlFYvBoVjHA70GU7xSUJhmKtwHPAKzLO9HMaoKwJZ7Rf8AYPDDzKpZBqfvwQAIfkECQoAAAAsAAAAABAAEAAAAzMIumIlK8oyhpHsnFZfhYumCYUhDAQxRIdhHBGqRoKw0R8DYlJd8z0fMDgsGo/IpHI5TAAAIfkECQoAAAAsAAAAABAAEAAAAzIIunInK0rnZBTwGPNMgQwmdsNgXGJUlIWEuR5oWUIpz8pAEAMe6TwfwyYsGo/IpFKSAAAh+QQJCgAAACwAAAAAEAAQAAADMwi6IMKQORfjdOe82p4wGccc4CEuQradylesojEMBgsUc2G7sDX3lQGBMLAJibufbSlKAAAh+QQJCgAAACwAAAAAEAAQAAADMgi63P7wCRHZnFVdmgHu2nFwlWCI3WGc3TSWhUFGxTAUkGCbtgENBMJAEJsxgMLWzpEAACH5BAkKAAAALAAAAAAQABAAAAMyCLrc/jDKSatlQtScKdceCAjDII7HcQ4EMTCpyrCuUBjCYRgHVtqlAiB1YhiCnlsRkAAAOwAAAAAAAAAAAA==" />
</div>
<div *ngIf="error" class="alert alert-danger">{{error}}</div>
</form>
</div>Angular 2/5 Login Component
The login component uses the authentication service to login and logout of the application. It automatically logs the user out when it initializes (ngOnInit) so the login page can also be used to logout.
import { Component, OnInit } from '@angular/core';
import { Router, ActivatedRoute } from '@angular/router';
import 'rxjs/add/operator/first';
import { AuthenticationService } from '../_services/index';
@Component({
moduleId: module.id,
templateUrl: 'login.component.html'
})
export class LoginComponent implements OnInit {
model: any = {};
loading = false;
returnUrl: string;
error = '';
constructor(
private route: ActivatedRoute,
private router: Router,
private authenticationService: AuthenticationService) { }
ngOnInit() {
// reset login status
this.authenticationService.logout();
// get return url from route parameters or default to '/'
this.returnUrl = this.route.snapshot.queryParams['returnUrl'] || '/';
}
login() {
this.loading = true;
this.authenticationService.login(this.model.username, this.model.password)
.first()
.subscribe(
data => {
this.router.navigate([this.returnUrl]);
},
error => {
this.error = error;
this.loading = false;
});
}
}Angular 2/5 App Component Template
The app component template is the root component template of the application, it contains a router-outlet directive for displaying the contents of each view based on the current route / path.
<!-- main app container -->
<div class="jumbotron">
<div class="container">
<div class="col-sm-8 col-sm-offset-2">
<router-outlet></router-outlet>
</div>
</div>
</div>Angular 2/5 App Component
The app component is the root component of the application, it defines the root tag of the app as <app></app> with the selector property.
The moduleId property is set to allow a relative path to be used for the templateUrl.
import { Component } from '@angular/core';
@Component({
moduleId: module.id,
selector: 'app',
templateUrl: 'app.component.html'
})
export class AppComponent { }Angular 2/5 App Module
The app module defines the root module of the application along with metadata about the module. For more info about angular 2 modules check out this page on the official docs site.
This is where the fake backend provider is added to the application, to switch to a real backend simply remove the providers located under the comment "// providers used to create fake backend".
import { NgModule } from '@angular/core';
import { BrowserModule } from '@angular/platform-browser';
import { FormsModule } from '@angular/forms';
import { HttpClientModule, HTTP_INTERCEPTORS } from '@angular/common/http';
// used to create fake backend
import { fakeBackendProvider } from './_helpers/index';
import { AppComponent } from './app.component';
import { routing } from './app.routing';
import { AuthGuard } from './_guards/index';
import { JwtInterceptor } from './_helpers/index';
import { AuthenticationService, UserService } from './_services/index';
import { LoginComponent } from './login/index';
import { HomeComponent } from './home/index';
@NgModule({
imports: [
BrowserModule,
FormsModule,
HttpClientModule,
routing
],
declarations: [
AppComponent,
LoginComponent,
HomeComponent
],
providers: [
AuthGuard,
AuthenticationService,
UserService,
{
provide: HTTP_INTERCEPTORS,
useClass: JwtInterceptor,
multi: true
},
// providers used to create fake backend
fakeBackendProvider
],
bootstrap: [AppComponent]
})
export class AppModule { }Angular 2/5 App Routing
The app routing file defines the routes of the application, each route contains a path and associated component. The home route is secured by passing the AuthGuard to the canActivate property of the route.
import { Routes, RouterModule } from '@angular/router';
import { LoginComponent } from './login/index';
import { HomeComponent } from './home/index';
import { AuthGuard } from './_guards/index';
const appRoutes: Routes = [
{ path: 'login', component: LoginComponent },
{ path: '', component: HomeComponent, canActivate: [AuthGuard] },
// otherwise redirect to home
{ path: '**', redirectTo: '' }
];
export const routing = RouterModule.forRoot(appRoutes);Angular 2/5 Main (Bootstrap) File
The main file is the entry point used by angular to launch and bootstrap the application.
import { platformBrowserDynamic } from '@angular/platform-browser-dynamic';
import { AppModule } from './app.module';
platformBrowserDynamic().bootstrapModule(AppModule);
Need Some Angular 2 Help?
Search fiverr for freelance Angular 2 developers.
Follow me for updates
When I'm not coding...
Me and Tina are on a motorcycle adventure around Australia.
Come along for the ride!