auth0-spa-js

Fixed

• [SDK-2156] Heed timeoutInSeconds when calling getTokenSilently with refresh tokens #639 (stevehobbsdev) (#636)

[SDK-2121] Add support for ID token validation for Organizations #631 (stevehobbsdev)

Note: This relates to a product feature that is not yet generally available
for public consumption.

Changed

• [SDK-2037] Remove cacheLocation guard from checkSession #613 (frederikprijck)
• [SDK-2092] Do not use Web Worker for Safari < 12.1 #612 (frederikprijck)

Fixed

• Fix leaking windows message event listener #422 (yinzara)

Added

• [SDK-2042] Fallback option for transactions using cookies #603 (stevehobbsdev)
• Refactor logout to use buildLogoutUrl #595 (rnwolfe)
• Add an option to extend cookie expire day #586 (luisfmsouza)

Fixed

• Use AbortController polyfill in Web Worker #598 (frederikprijck)
• [SDK-1994] GMaps breaks SPA JS on IE11 #592 (adamjmcgrath)

Fixed

• Remove sessionStorage requirement from instantiation to fix SSR environments #578 (adamjmcgrath)

Added

• [SDK-1858] Create legacy samsite cookie by default #568 (adamjmcgrath)

Changed

• Dependency updates #569 (stevehobbsdev)
• Update FAQ.md with information on silent authentication problems #550 (stevehobbsdev)

Fixed

• [SDK-1837] Session storage support for transactions #564 (stevehobbsdev)
• [SDK-1924] client methods should handle partially filled arguments #561 (adamjmcgrath)
• [SDK-1885] Add some additional state validation #560 (adamjmcgrath)
• [SDK-1912] Unnecessary latency in getTokenSilently with primed cache #558 (adamjmcgrath)
• fix: add missing types to utils.ts and errors.ts #547 (SeyyedKhandon)
• Exclude windows absolute paths as well as posix #534 (adamjmcgrath)

Added

• [SDK-1560] Allow issuer as url #523 (adamjmcgrath)
• [SDK-1790] use refresh_tokens with multiple audiences #521 (adamjmcgrath)
• [SDK-1650] Add message to errors that don't have one #520 (adamjmcgrath)

Fixed

• [SDK-1798] prevent unnecessary token requests #525 (adamjmcgrath)
• [SDK-1789] Add custom initial options to the 2 getToken methods #524 (adamjmcgrath)

Changed

• [SDK-1696] Allow caller of cache.get to specify an expiry time adjustment #491 (stevehobbsdev)

Fixed

• Don't include mocks in build #503 (adamjmcgrath)
• [SDK-1699] Fix ID token validation for auth_time #497 (stevehobbsdev)
• Add secure attribute to cookies if served over HTTPS #472 (ties-v)

Added

• [SDK-1695] Add auth0Client option so wrapper libraries can send their own client info #490 (adamjmcgrath)
• Add checkSession and ignore recoverable errors #482 (adamjmcgrath)

Fixed

• Update docs for returnTo and client_id params on logout #484 (stevehobbsdev)

Fixed

• [SDK-1640] Allow the client to be constructed in a Node SSR environment #471 (adamjmcgrath)
• [SDK-1634] Pass custom options to the token endpoint #465 (stevehobbsdev)
• [SDK-1649] Fix issue where cache was missed when scope parameter was provided #461 (adamjmcgrath)

Fixed

• Fix issue with create-react-app webpack build #451 (adamjmcgrath)

This version fixes a problem using the SDK within a Gatsby site, which would fail a build with a "Blob is not defined" error, as well as introducing the ability to specify custom default scopes.

Custom default scopes

Usage:

await createAuth0Client({
  domain: 'your-domain.auth0.com',
  client_id: 'some-client-id-xyz',
  advancedOptions: {
    defaultScope: 'email'
  }
}

Full changelog

Added

• [SDK-1417] Customizable default scopes #435 (stevehobbsdev)
• include polyfill for Set #426 (tony-aq)

Fixed

• Update rollup-plugin-web-worker-loader to 1.1.1 #443 (stevehobbsdev)
• Updated login_hint js docs to clarify usage with Lock #441 (stevehobbsdev)

Highlights

This release introduces a number of new features; two of these are detailed below:

Rotating Refresh Tokens

This feature adds support for rotating Refresh Tokens, which can be used to mitigate the effects of modern browser privacy tools, such as Safari's ITP technology. Refresh tokens do not depend on the user's session cookie and thus are unaffected by third-party cookie blocking.

To turn on the use of Refresh Tokens in the SDK, use the useRefreshTokens option when configuring the SDK client:

await createAuth0Client({
  domain: '<YOUR AUTH0 DOMAIN>',
  client_id: '<YOUR AUTH0 CLIENT ID>',
  useRefreshTokens: true    // the default is 'false'
})

Local Storage

From this release, you will be able to opt-in to using local storage to store the tokens that are returned from the authorization server. The default is to use the in-memory cache.

Note: Enabling local storage changes the security characteristics of your application; please read and understand the implications of enabling use of local storage to store tokens.

To do this, configure the cacheLocation to localstorage when configuring the SDK client:

await createAuth0Client({
  domain: '<YOUR AUTH0 DOMAIN>',
  client_id: '<YOUR AUTH0 CLIENT ID>',
  cacheLocation: 'localstorage'
})

The full changelog is below.

Added

• Support for rotating refresh tokens #315 (stevehobbsdev)
• Export types from global TypeScript file. #310 (maxswa)
• Local Storage caching mechanism #303 (stevehobbsdev)

Changed

• Use Web Workers for token endpoint call for in-memory storage #409 (adamjmcgrath)
• Export constructor #385 (adamjmcgrath)
• Fall back to iframe method if no refresh token is available #364 (stevehobbsdev)
• Removed setTimeout cache removal in favour of removal-on-read #354 (stevehobbsdev)
• Stop checking isAuthenticated cookie on initialization when using local storage #352 (stevehobbsdev)
• getTokenSilently retry logic #336 (stevehobbsdev)
• Fixed issue with cache not retaining refresh token #333 (stevehobbsdev)

Fixed

• Check if source of event exists before closing it #410 (gerritdeperrit)
• Check if iframe is still in body before removing #399 (paulfalgout)
• Fix typings to allow custom claims in ID token #386 (picosam)
• Fix error in library type definitions #367 (devoto13)

Security

• Dependency upgrade #405 (stevehobbsdev)

Changed

• [SDK-1379] Export constructor #385 (adamjmcgrath)

Changed

• [SDK-1395] Refactor loginWithPopup to optionally accept an existing popup window #368 (stevehobbsdev)
• handleRedirectCallback wont pass redirect_uri undefined if not set in transaction #374 (albertlockett)
• Update dependencies within semver ranges #371 (stevehobbsdev)
• [SDK-1099] Add localOnly logout option #362 (adamjmcgrath)
• center popup over owner window #356 (ggascoigne)

Fixed

• [SDK-1127] Delay removal of iframe to prevent Chrome hanging status bug #240 #376 (adamjmcgrath)
• [SDK-1125] createAuth0Client now throws errors that are not login_required #369 (stevehobbsdev)

Changed

• [SDK-1386] Fall back to iframe method if no refresh token is available #364 (stevehobbsdev)

Fixed

• Fix error in library type definitions #367 (devoto13)

Added

• Export types from global TypeScript file. #310 (maxswa)

Changed

• [SDK-1352] Removed setTimeout cache removal in favour of removal-on-read #354 (stevehobbsdev)
• [SDK-1352] Stop checking isAuthenticated cookie on initialization when using local storage #352 (stevehobbsdev)
• [SDK-1279] getTokenSilently retry logic #336 (stevehobbsdev)

• [SDK-1308] Return appState value on error from handleRedirectCallback #348 (stevehobbsdev)
• Configurable timeout for getTokenSilently() #347 (Serjlee)

Fixed

• Send same redirect_uri as /authorize to /token #341 (stevehobbsdev)
• No longer acquires a browser lock if there was a hit on the cache #339 (stevehobbsdev)
• Use user provided params on silent login #318 (nkete)

Changed

• Fixed issue with cache not retaining refresh token #333 (stevehobbsdev)