- #730
updateAuthStatereturns a Promise.
- #742 Fixes an issue where storage was being incorrectly cleared after an IDP redirect
- #731 Fixes issue with
handleLoginRedirectwhere a redirect could occur after an exception was thrown.
- #742 Fixes an issue where storage was being incorrectly cleared after an IDP redirect
- #731 Fixes issue with
handleLoginRedirectwhere a redirect could occur after an exception was thrown.
- #694 Adds
cookies.sessionCookieoption
- #689 New methods
startandstopare added to controlOktaAuthas a service. - #515 Removes
token.valuefield - #540 Locks
tokenManager.expireEarlySecondsoption with the default value (30s) for non-dev environment - #677 Http requests will not send cookies by default
- #678 Default value for
originalUriis null. - #706 Removes
isPendingfromAuthState
- #675 Removes warning when calling
updateAuthStatewhen there are no subscribers - #706 calling
isAuthenticatedwill renew expired tokens whenautoRenewis true
- #656 Fixes
TokenManager.renewto renew only requested token
- #656 Adds
token.renewTokensWithRefresh
- #652 Accepts 'state' as a constructor option
- #646 Fixes validate token using issuer from well-known config
- #648 Updates widget to 5.4.2
- #653 Removes isLoginRedirect check in oidc logic
- #661 Upgrades node-cache to 5.1.2
- #638 Fixes an issue with revoking refresh tokens
- #632 Fixes an issue with renewing refresh tokens
- #616 Fixes issue with
fetchon IE Edge versions 14-17.
- #627 Fixes an issue with Typescript and
StorageManagerOptions
- #620 Adds support for
interaction_codeanderror=interaction_requiredon redirect callback - #604 Adds new utility objects:
storageManagerandtransactionManager
- #614 Fixes issue with renewTokens and implicit flow: get responseType value from SDK configuration
- #594 Adds
@babel/runtimeto dependencies list. - #572 Add idps options for Signin widget flow in samples
- #565 Adds support for widget version and interaction code to test app and samples
- #616 Fixes issue with
fetchon IE Edge versions 14-17.
- #585 Uses native fetch, if available
- #583 Better error handling for redirect flows: if redirect URI contains
errororerror_descriptionthenisLoginRedirectwill return true andparseFromUrlwill throwOAuthError
- #579 Removes overeager
catchwhen using refresh token
- #567 Adds new methods:
token.prepareTokenParamstoken.exchangeCodeForTokenspkce.generateVerifierpkce.computeChallengeand constant:pkce.DEFAULT_CODE_CHALLENGE_METHODThis API allows more control over thePKCEauthorization flow and is enabled for both browser and nodeJS.
- #554 Adds MFA types
- #518 Added
claimstoAccessToken
- Adding the ability to use refresh tokens with single page applications (SPA) (Early Access feature - reach out to our support team)
scopesconfiguration option now handles 'offline_access' as an option, which will use refresh tokens IF your client app is configured to do so in the Okta settings- If you already have tokens (from a separate instance of auth-js or the okta-signin-widget) those tokens must already include a refresh token and have the 'offline_access' scope
- 'offline_access' is not requested by default. Anyone using the default
scopesand wishing to add 'offline_access' should passscopes: ['openid', 'email', 'offline_access']to their constructor
renewTokens()will now use an XHR call to replace tokens if the app has a refresh token. This does not rely on "3rd party cookies"- The
autoRenewoption (defaults totrue) already callsrenewTokens()shortly before tokens expire. TheautoRenewfeature will now automatically make use of the refresh token if present
- The
signOut()now revokes the refresh token (if present) by default, which in turn will revoke all tokens minted with that refresh token- The revoke calls by
signOut()follow the existingrevokeAccessTokenparameter - whentrue(the default) any refreshToken will be also be revoked, and whenfalse, any tokens are not explicitly revoked. This parameter name becomes slightly misleading (as it controls both access AND refresh token revocation) and will change in a future version.
- The revoke calls by
- #541 Fixes type error in
VerifyRecoveryTokenOptions
- #535 Respects
scopesthat are set in the constructor
- #869
- Implements
AuthStateManagerto evaluate and emit latest authState. Exposes new methods fromAuthStateManager:authStateManager.getAuthStateauthStateManager.updateAuthStateauthStateManager.subscribeauthStateManager.unsubscribe
- Adds new methods in sdk browser scope:
sdk.signInWithCredentialssdk.signInWithRedirectsdk.isAuthenticatedsdk.getUsersdk.getIdTokensdk.getAccessTokensdk.storeTokensFromRedirectsdk.setOriginalUrisdk.getOriginalUrisdk.removeOriginalUrisdk.isLoginRedirectsdk.handleLoginRedirect
- Deprecates method in sdk browser scope:
sdk.signIn
- Adds new methods in
sdk.tokenManager:tokenManager.getTokenstokenManager.setTokens
- Accepts new options
transformAuthStaterestoreOriginalUriautoRemovedevMode
- Implements
- #469 Adds "rate limiting" logic to token autoRenew process to prevent too many requests be sent out which may cause application rate limit issue.
- #503 Supports relative uri for options.redirectUri
- #478 Adds cross tabs communication to sync
AuthState. - #525 Adds new methods
hasResponseType,isPKCE,isAuthorizationCodeFlow. The optionresponseTypeis now accepted in the constructor.
- #468 Fixes issue where HTTP headers with an undefined value were being sent with the value "undefined". These headers are now removed before the request is sent.
- #514 Fixes OAuth redirect params issue in legacy browsers.
- #468 Fixes issue where HTTP headers with an undefined value were being sent with the value "undefined". These headers are now removed before the request is sent.
- #514 Fixes OAuth redirect params issue in legacy browsers.
- #520 token.isLoginRedirect will check that current URL matches the redirectUri
-
#491 Fixes issue with OAuth param cookie when using self-hosted signin widget
-
#489 Fixes sameSite cookie setting when running on HTTP connection
- #473 Fixes login issue when cookies are blocked or used as shared state storage
- #413 Adds support for Typescript. Uses named exports instead of default export.
- #444 New method
tokenManager.hasExpiredto test if a token is expired
- #444
- Implements "active" autoRenew. Previously tokens would be renewed or removed when calling
tokenManager.get. Now they will be renewed or removed in the background. If autoRenew is true, tokens will be renewed before expiration. If autoRenew is false, tokens will be removed from storage on expiration. onSessionExpiredoption has been removed. TokenManager events can be used to detect and handle token renewal errors.tokenManager.getno longer implements autoRenew functionality (autoRenew is done by a separate process withinTokenManager). Even withautoRenew, it is possible that the token returned from the TokenManager may be expired, since renewal is an asynchronous process. New methodtokenManager.hasExpiredcan be used to test the token and avoid this potential race condition.
- Implements "active" autoRenew. Previously tokens would be renewed or removed when calling
- #522 Fixes
token.isLoginRedirectissue withcodequery params in url - #517 Fixes OAuth redirect params issue in legacy browsers
-
#491 Fixes issue with OAuth param cookie when using self-hosted signin widget
-
#489 Fixes sameSite cookie setting when running on HTTP connection
- #473 Fixes login issue when cookies are blocked or used as shared state storage
- #440 Fixes signOut XHR fallback to reload page only if postLogoutRedirectUri matches the current URI
- #445 Clears access token from storage after token revocation
- #422 Fixes revoke accessToken in signOut method
- #441 Fixes issue involving an "invalid grant" error: "PKCE verification failed."
- #431 Skips non parsable iframe messages for
sdk.fingerprint
-#408 Provides a polyfill for IE 11+
-#410 Add token.isLoginRedirect function to prevent app from starting new Oauth flow while already in OAuth callback state.
-
#400 Allows an accessToken to be retrieved without an idToken. Also allows retrieving "default" scopes as defined by the custom authorization server.
-
#402 Fixes tokenManager cookie storage size limitation issue by store tokens in separated cookies.
-
#395 Prevents concurrent use of token API methods such as
getWithoutPrompt,getWithRedirectorgetWithPopupwithin a single running instance. These methods will be executed within a queue to ensure that they complete sequentially. This fix only affects a single instance. If there are several instances running (for example, in multiple tabs) it is still possible for token API methods to be executing concurrently. -
#399 Fixes an error involving PKCE flow and the signin widget.
- #384 Shifts browser storage for ephemeral PKCE code challenge to default to sessionStorage before localStorage or cookies.
- This should reduce problems with multiple tabs making overlapping requests to renew tokens.
- #386 Fixes
token.verify:validationParamsshould be optional.
- #369
-
Will reject with error if PKCE is enabled but not supported when OIDC flow is initiated. Previously this check was done in the constructor and affected non-OIDC flows
-
Will print a console warning and disable secure cookies if cookies.secure is enabled on an HTTP connection. Previously this would throw in the constructor.
-
- #363
- Expose server bundle for React Native platform as an Authentication SDK.
- Handle userAgent customization with newly added userAgent field in config.
-
#354 - Omit cookies from API requests. Removes warning messages in latest version of Chrome.
-
#355 - Fix for authorization_code flow for non-SPA applications (when responseType=code and pkce=false). The code can be retrieved client-side using
parseFromUrl()without throwing an error.
New option cookies allows overriding default secure and sameSite values.
-
#308 - Removed
jqueryandreqwesthttpRequesters -
#309 - Removed
Qlibrary, now using standard Promise. IE11 will require a polyfill for thePromiseobject. Use ofPromise.prototype.finallyrequires Node > 10.3 for server-side use. -
#310 - New behavior for signOut()
postLogoutRedirectUriwill default towindow.location.origin- signOut() will revoke access token and perform redirect by default. Fallback to XHR closeSession() if no idToken.
- New method closeSession() for XHR signout without redirect or reload.
- New method revokeAccessToken()
-
#311 - parseFromUrl() now returns tokens in an object hash (instead of array). The
stateparameter (passed to authorize request) is also returned. -
#313 - An HTTPS origin will be enforced unless running on
http://localhostorcookies.secureis set tofalse -
#316 - Option
issueris required. Optionurlhas been deprecated and is no longer used. -
#317 -
pkceoption is nowtrueby default.grantTypeoption is removed. -
#320 -
getWithRedirect,getWithPopup, andgetWithoutPromptpreviously took 2 sets of option objects as parameters, a set of "oauthOptions" and additional options. These methods now take a single options object which can hold all available options. Passing a second options object will cause an exception to be thrown. -
- Default responseType when using implicit flow is now
['token', 'id_token']. - When both access token and id token are returned, the id token's
at_hashclaim will be validated against the access token
- Default responseType when using implicit flow is now
-
#325 - Previously, the default
responseModefor PKCE was"fragment". It is now"query". Unless explicitly specified using theresponseModeoption, theresponse_modeparameter is no longer passed bytoken.getWithRedirectto the/authorizeendpoint. Theresponse_modewill be set by the backend according to the OpenID specification. Implicit flow will use"fragment"and PKCE will use"query". If previous behavior is desired, PKCE can set theresponseModeoption to"fragment". -
#329 - Fix internal fetch implementation.
responseTextwill always be a string, regardless of headers or response type. If a JSON object was returned, the object will be returned asresponseJSONandresponseTypewill be set to "json". Invalid/malformed JSON server response will no longer throw a raw TypeError but will return a well structured error response which includes thestatuscode returned from the server.
-
#306 - Now using babel for ES5 compatibility. All polyfills have been removed.
-
#312 - Added an E2E test for server-side authentication (node module, not webpack).
-#338 - (Fix for Chrome 80) Setting 'Secure' on cookies if running on HTTPS. Setting 'SameSite=Lax' on cookies if running on HTTP. TokenManager (if using cookie storage) will retain previous behavior, setting 'SameSite=Lax' in all cases unless tokenManager.secure is set to true via config.
- #334 - Setting 'SameSite=none' for all cookies (Fix for iFrame)
- #324 - Support
responseMode: "query"option for SPA apps using PKCE flow
- #315
getWellKnownwas using base url over issuer. Method has been fixed to use issuer, if configured, and will fallback to base url - #319 - Setting 'SameSite=lax' for all cookies (Fix for Firefox/Safari)
- #304 - Will set a 'SameSite' value on all cookies set by this SDK
- Cookies intended for server-side use will be set to 'Lax', cookies intended for client-side use will be set to 'Strict'
- #271 - New option
onSessionExpired
- #293 - Copy markdown files to package directory during publish
- #288 - New options for
signOut:- Can provide a post-logout redirect URI.
- Can revoke access token
- #288 - calling
signOutwill clear the TokenManager. - #284 -
isPKCESupportedwill return false ifTextEncoderis not available (IE Edge).
- #284 - better error messages when attempting to use PKCE in an unsupported browser configuration.
- Fixes incorrect npm publish of previous version
- #266 - New storage options for TokenManager
- #265 - Fix for popup blockers
- #256 - Adds E2E tests, updates test app
- #249 - Convert to yarn workspace
- #264 - Removed lib/config.js, replaced with lib/constants.js and webpack define
- add5369 Add support to pass callback to poll function
- 541683 Origin mismatch will now cause promise rejection (token renew)
- d9900a TokenManager: return existing promise for concurrent requests
- 77ece4 Clear token on 'AuthSdkError'
- (#238) - Adds pass-thru of optional 'loginHint' and 'idpScopes' params (resolves issue #214)
- (#235) - Option
grantTypehas been deprecated and will be removed in 3.0
- (#233) - New option
pkce
-
(#233) The default
responseModewas incorrectly set tofragmentinstead ofquerywhen theresponseTypewascode. This regression was introduced in version2.6.0. -
747216b fix build process, so that /dist/okta-auth-js.min.js is for browsers (since version 2.2.0, dist/ output was being built for node.js applications, which was not intended)
- d8d2fee TokenManager: new option
expireEarlySeconds
- TokenManager: Re-enables use of custom storage keys
- TokenManager: Document the
maxClockSkewoption
- 0a8a4e1 PKCE support
- TokenManager: tokens were being expired 5 minutes early
- d736cc9 - New TokenManager option to support HTTPS-only "secure" cookies.
- fddec0a - Use
fetchas the default request agent (instead ofreqwest).
- #187 - When deprecated
ajaxRequestwas passed to config, the logger for the deprecate message was still using window.console. This fix makes the logger isomorphic.
- #184 - Adds support for calling the AuthN API from Node
- #172 - Fixes an issue where default storage was read-only
- #161 -
ignoreSignaturewas not set when redirecting
- Fixed an problem, introduced in 2.0.0, that was causing tokens to be refreshed every time
authClient.tokenManager.get('accessToken')was called.
-
Token retrieval is now asyncronous to account for automatic token renewal.
// ES2016+ const accessToken = await authClient.tokenManager.get('accessToken'); // Handle as a promise authClient.tokenManager.get('accessToken') .then(function(accessToken) { console.log(accessToken); });
-
Removed the following deprecated methods:
idToken.authorizeidToken.verifyidToken.refreshidToken.decode
- Clears whitespace around URLs when instantiating the client.
- Infer the
urlfrom theissuerto simplify client setup.
- Renames all
refreshmethods on thetokenandtokenManagerobjects torenew.