diff --git a/libs/auth/src/lib/digid-auth.providers.ts b/libs/auth/src/lib/digid-auth.providers.ts index 1bbf9cc..0f1cb21 100644 --- a/libs/auth/src/lib/digid-auth.providers.ts +++ b/libs/auth/src/lib/digid-auth.providers.ts @@ -1,5 +1,10 @@ import { EnvironmentProviders, makeEnvironmentProviders } from '@angular/core'; -import { authInterceptor, LogLevel, provideAuth } from 'angular-auth-oidc-client'; +import { + authInterceptor, + LogLevel, + provideAuth, + withAppInitializerAuthCheck, +} from 'angular-auth-oidc-client'; import { AuthService } from './auth.service'; import { DigiadAuthService } from './digid-auth.service'; @@ -19,20 +24,25 @@ export interface DigiadAuthOptions { */ export function provideDigiadAuth(options: DigiadAuthOptions): EnvironmentProviders { return makeEnvironmentProviders([ - provideAuth({ - config: { - authority: options.authority, - redirectUrl: options.redirectUrl, - postLogoutRedirectUri: options.redirectUrl, - clientId: 'big-portal', - scope: 'openid profile', - responseType: 'code', - silentRenew: true, - useRefreshToken: true, - secureRoutes: [options.secureApiOrigin], - logLevel: LogLevel.Warn, + provideAuth( + { + config: { + authority: options.authority, + redirectUrl: options.redirectUrl, + postLogoutRedirectUri: options.redirectUrl, + clientId: 'big-portal', + scope: 'openid profile', + responseType: 'code', + silentRenew: true, + useRefreshToken: true, + secureRoutes: [options.secureApiOrigin], + logLevel: LogLevel.Warn, + }, }, - }), + // Run checkAuth() at startup so the DigiD callback (?code=…) is processed before the router + // and guard run — without it the guard sees "not authenticated" and re-triggers login (loop). + withAppInitializerAuthCheck(), + ), { provide: AuthService, useClass: DigiadAuthService }, ]); }