v2.1.3 (2023-12-11)
Changed
v2.1.2 (2023-08-21)
Fixed
- Ensure organization cookie is set when no organization was set #1123 (frederikprijck)
v2.1.1 (2023-07-18)
Changed
- Do not lowercase org_name claim #1117 (frederikprijck)
v2.1.0 (2023-07-13)
Added
- Support Organization Name #1113 (frederikprijck)
Fixed
- Ensure AMR claim is set to an array of strings #1112 (frederikprijck)
v2.0.8 (2023-06-14)
Changed
- Lazily retrieve transaction from transaction storage #1108 (frederikprijck)
v2.0.7 (2023-06-02)
Changed
- Make TransactionManager use CookieDomain #1105 (ZdravkoDonev-gtmhub)
v2.0.6 (2023-05-30)
Fixed
- Fix missing invalid state errors with Generic Error #1102 (frederikprijck)
v2.0.5 (2023-05-22)
Changed
- distinguish between missing and invalid state #1099 (frederikprijck)
- Allow sync openUrl #1087 (adamjmcgrath)
v2.0.4 (2023-02-22)
Fixed
- Correctly expose missing_refresh_token error from worker #1080 (frederikprijck)
v2.0.3 (2023-02-04)
Fixed
- Ensure cookieDomain is used when using legacy Cookiestorage #1071 (frederikprijck)
- Ensure to only clear current client cache when logging out #1068 (frederikprijck)
v2.0.2 (2023-01-12)
Security
- Bump jsonwebtoken to v9 #1062 (dependabot)
This patch release is identical to 2.0.1 but has been released to ensure tooling no longer detects a vulnerable version of jsonwebtoken being used.
Even though 2.0.1 was not vulnerable for the related CVE because of the fact that jsonwebtoken is a devDependency, we are cutting a release to ensure build tools no longer report our SDK as vulnerable to the mentioned CVE.
v2.0.1 (2022-12-08)
Changed
- Add openUrl and deprecate onRedirect #1058 (frederikprijck)
Fixed
- Export MissingRefreshTokenError #1043 (frederikprijck)
v2.0.0 (2022-10-27)
Auth0-SPA-JS v2 includes many significant changes compared to v1:
- Refactor module output and avoid default export #942 (frederikprijck)
- Do not throw from
checkSession#943 (frederikprijck) - Rework
ignoreCachetocacheModeand introducecache-only#950 (ewanharris) - Do not fallback to refreshing tokens via iframe method by default #946 (ewanharris)
- Use form-encoded data by default #945 (frederikprijck)
- Remove
getIdTokenClaimsOptionstype #960 (ewanharris) - Rename
client_idtoclientId#956 (ewanharris) - Remove polyfills from bundles #951 (frederikprijck)
- Update output target to ES2017 #953 (frederikprijck)
- Introduce
authorizationParamsto hold properties sent to Auth0 #959 (ewanharris) - Do not build Common JS module with externals #971 (frederikprijck)
- De-dupe Id token; getUser and getIdTokenClaims no longer take any arguments #967 (frederikprijck)
- Remove
advancedOptions.defaultScopeand replace withscope#972 (ewanharris) - Cache and return id token from memory #975 (ewanharris)
- Remove
buildAuthorizeUrl#980 (frederikprijck) - Make
buildLogoutUrlinternal #982 (ewanharris) - Fix spelling mistakes in id token validation messages #940 (frederikprijck)
As with any major version bump, v2 of Auth0-SPA-JS contains a set of breaking changes. Please review the migration guide thoroughly to understand the changes required to migrate your application to v2.
v2.0.0-beta.1 (2022-10-12)
Fixed
- Ensure getTokenSilently works when mixing return types #1016 (frederikprijck)
- Close MessageChannel after receiving and processing message from worker #1023 (ewanharris)
v2.0.0-beta.0 (2022-10-01)
Auth0-SPA-JS v2 includes many significant changes compared to v1:
- Refactor module output and avoid default export #942 (frederikprijck)
- Do not throw from
checkSession#943 (frederikprijck) - Rework
ignoreCachetocacheModeand introducecache-only#950 (ewanharris) - Do not fallback to refreshing tokens via iframe method by default #946 (ewanharris)
- Use form-encoded data by default #945 (frederikprijck)
- Remove
getIdTokenClaimsOptionstype #960 (ewanharris) - Rename
client_idtoclientId#956 (ewanharris) - Remove polyfills from bundles #951 (frederikprijck)
- Update output target to ES2017 #953 (frederikprijck)
- Introduce
authorizationParamsto hold properties sent to Auth0 #959 (ewanharris) - Do not build Common JS module with externals #971 (frederikprijck)
- De-dupe Id token; getUser and getIdTokenClaims no longer take any arguments #967 (frederikprijck)
- Remove
advancedOptions.defaultScopeand replace withscope#972 (ewanharris) - Cache and return id token from memory #975 (ewanharris)
- Remove
buildAuthorizeUrl#980 (frederikprijck) - Make
buildLogoutUrlinternal #982 (ewanharris) - Fix spelling mistakes in id token validation messages #940 (frederikprijck)
As with any major version bump, v2 of Auth0-SPA-JS contains a set of breaking changes. Please review the migration guide thoroughly to understand the changes required to migrate your application to v2.
v1.22.5 (2022-10-12)
Fixed
- Ensure getTokenSilently works when mixing return types #1016 (frederikprijck)
v1.22.4 (2022-09-08)
Fixed
- Release lock on pagehide #974 (frederikprijck)
v1.22.3 (2022-08-25)
Changed
Fixed
- Pin es-cookie to patch versions only #965 (frederikprijck)
v1.22.2 (2022-07-19)
Changed
- Avoid sending unnecessary request parameters #920 (frederikprijck)
v1.22.1 (2022-06-14)
Changed
- Stronger typing for screen_hint property #912 (iAmWillShepherd)
- Add env to auth0Client userAgent #913 (frederikprijck)
v1.22.0 (2022-05-24)
Added
- Silent auth fallback when using Refresh Tokens can now be disabled #907 (frederikprijck)
Security
- [Snyk] Upgrade core-js 3.22.4 #910 (crew-security)
v1.21.1 (2022-05-10)
Fixed
Security
- [Snyk] Upgrade core-js from 3.21.1 to 3.22.0 #901 (snyk-bot)
- [Snyk] Upgrade promise-polyfill from 8.2.1 to 8.2.3 #893 (snyk-bot)
v1.21.0 (2022-04-01)
Added
Fixed
- fix: handle NPE when no popup is available #888 (stevehobbsdev)
v1.20.1 (2022-03-04)
Fixed
- Prevent cache.get when key is undefined #882 (stevehobbsdev)
v1.20.0 (2022-02-14)
Added
- [SDK-3105] Add httpTimeoutInSeconds to control fetch timeout #875 (stevehobbsdev)
Changed
- clarify documentation comment for getTokenSilently #874 (jdugan1024)
Fixed
Security
- [Snyk] Upgrade core-js from 3.20.2 to 3.20.3 #873 (snyk-bot)
- Bump node-fetch from 2.6.1 to 2.6.7 #870 (dependabot[bot])
- [Snyk] Upgrade core-js from 3.20.1 to 3.20.2 #869 (snyk-bot)
- [Snyk] Upgrade core-js from 3.20.0 to 3.20.1 #864 (snyk-bot)
v1.19.4 (2022-01-14)
Fixed
- Org ID hint cookie expiry now aligns with is.authenticated cookie #861 (stevehobbsdev)
Security
- Bump follow-redirects from 1.14.0 to 1.14.7 #860 (dependabot[bot])
- [Snyk] Upgrade core-js from 3.19.2 to 3.20.0 #858 (snyk-bot)
- [Snyk] Upgrade core-js from 3.19.1 to 3.19.2 #851 (snyk-bot)
v1.19.3 (2021-12-01)
Changed
- Make RedirectLoginOptions and RedirectLoginResult accept generic AppState #846 (frederikprijck)
Fixed
- Getidtokenclaims return type #844 (jmac105)
- Add check for state in handleRedirectCallback #841 (stevehobbsdev)
- Prevent nowProvider from being passed to authorize endpoint #840 (stevehobbsdev)
- Fix cached scopes when using detailed response mode #824 (stevehobbsdev)
v1.19.2 (2021-10-18)
This release fixes an anomoly with a new type we exposed in #803, where it was incorrectly wrapped with Partial. We don't expect this change to introduce any issues, but if you are affected please raise it on our issue tracker.
Fixed
- GetTokenSilentlyVerboseResponse no longer uses partial TokenEndpointResponse type #820 (stevehobbsdev)
v1.19.1 (2021-10-14)
Republished version 1.19.0, which got published during a period npm was suffering downtime issues, resulting in 1.19.0 being released but not installable for end users. Users should install 1.19.1 instead.
v1.19.0 (2021-10-11)
Added
- [SDK-2794] Return token response in getTokenSilently #803 (stevehobbsdev)
- [SDK-2793] Ability to define a custom now provider #802 (frederikprijck)
v1.18.0 (2021-09-15)
Added
- [SDK-2750] Expose mfa_token from the mfa_required error when getting new tokens #789 (frederikprijck)
Changed
- [SDK-2759] Re-scoping cookies and transactions to client ID #796 (stevehobbsdev)
- [SDK-2320] Throw login_required error in SPA SDK if running in a cross-origin is… #790 (frederikprijck)
Fixed
- [SDK-2692] Remember organization ID for silent authentication #788 (stevehobbsdev)
v1.17.1 (2021-09-03)
Fixed
- Correct cache interface #779 (employee451)
v1.17.0 (2021-08-03)
Added
- Add
useFormDatato enableapplication/x-www-form-urlencodedrequests #768 (stevehobbsdev)
Changed
- Allow providing a
domainthat includeshttporhttps. #768 (stevehobbsdev)
v1.16.1 (2021-07-07)
Fixed
- Changes to logout and cache synchronicity #758 (stevehobbsdev)
v1.16.0 (2021-07-05)
Added
- [SDK-2555] Extensible Cache #743 (stevehobbsdev)
v1.15.0 (2021-04-29)
Added
Fixed
- Fix popup blocker showing for loginWithPopup in Firefox & Safari #732 (stevehobbsdev)
v1.14.0 (2021-03-22)
Added
- feat(loginWithRedirect): add redirectMethod option #717 (slaywell)
- Export errors for type checking #716 (adamjmcgrath)
Changed
Fixed
- Updated minor syntax, to allow for TypeScript compiler to be happier #714 (kachihro)
- Revert [SDK-2183] Add warning when requested scopes differ from retrieved scopes #712 (frederikprijck)
v1.13.6 (2021-01-07)
Changed
- Update docs for getIdTokenClaims and getUser #690 (adamjmcgrath)
- [SDK-2238] Only use timeout promise when using fetchWithTimeout without a worker #689 (frederikprijck)
- Do not use AbortController in the worker if not available #679 (stevehobbsdev)
- Do not send useCookiesForTransactions to authorize request #673 (frederikprijck)
Fixed
- Remove the nonce check in handleRedirectCallback #678 (stevehobbsdev)
Security
- Update wait-on to solve security vulnerability #687 (frederikprijck)
- [Security] Bump ini from 1.3.5 to 1.3.7 #672 (dependabot-preview[bot])
v1.13.5 (2020-12-08)
Changed
- [SDK-2173] Expand on behaviour of checkSession in docs #666 (stevehobbsdev)
- [SDK-2183] Add warning when requested scopes differ from retrieved scopes #665 (frederikprijck)
- [SDK-2170] Avoid the possibility to do simultaneous calls to the token endpoint #664 (frederikprijck)
- [SDK-2025] Internal module refactor #661 (stevehobbsdev)
- [SDK-2039] Change cache lookup mechanism #652 (frederikprijck)
Fixed
- [SDK-1739] Recover and logout when throwing invalid_grant on Refresh Token #668 (frederikprijck)
Remarks
This release updates the getUser return type to be more correct. Instead of returning Promise<TUser>, it now returns Promise<TUser | undefined>, which might lead to an Object is possible 'undefined' compiler error in situation where the return value is not checked for being undefined while having set the TypeScript's --strictNullChecks compiler flag to true.
v1.13.4 (2020-12-02)
Added
- [SDK-2172] Add SDK metrics to all API calls #659 (frederikprijck)
Changed
- [SDK-1159] Use generics for getUser #651 (frederikprijck)
v1.13.3 (2020-11-13)
Fixed
- [SDK-2156] Heed timeoutInSeconds when calling getTokenSilently with refresh tokens #639 (stevehobbsdev)
v1.13.2 (2020-11-09)
Added
- [SDK-2121] Add support for token validation for Organizations #631 (stevehobbsdev)
v1.13.1 (2020-10-29)
Changed
- [SDK-2037] Remove cacheLocation guard from checkSession #613 (frederikprijck)
- [SDK-2092] Do not use Web Worker for Safari < 12.1 #612 (frederikprijck)
Fixed
v1.13.0 (2020-10-21)
Added
- [SDK-2042] Fallback option for transactions using cookies #603 (stevehobbsdev)
- Refactor logout to use buildLogoutUrl #595 (rnwolfe)
- Add an option to extend cookie expire day #586 (luisfmsouza)
Fixed
- Use AbortController polyfill in Web Worker #598 (frederikprijck)
- [SDK-1994] GMaps breaks SPA JS on IE11 #592 (adamjmcgrath)
v1.12.1 (2020-09-17)
Fixed
- Remove
sessionStoragerequirement from instantiation to fix SSR environments #578 (adamjmcgrath)
v1.12.0 (2020-09-04)
Added
- [SDK-1858] Create legacy samsite cookie by default #568 (adamjmcgrath)
Changed
- Dependency updates #569 (stevehobbsdev)
- Update FAQ.md with information on silent authentication problems #550 (stevehobbsdev)
Fixed
- [SDK-1837] Session storage support for transactions #564 (stevehobbsdev)
- [SDK-1924] client methods should handle partially filled arguments #561 (adamjmcgrath)
- [SDK-1885] Add some additional state validation #560 (adamjmcgrath)
- [SDK-1912] Unnecessary latency in
getTokenSilentlywith primed cache #558 (adamjmcgrath) - fix: add missing types to utils.ts and errors.ts #547 (SeyyedKhandon)
- Exclude windows absolute paths as well as posix #534 (adamjmcgrath)
v1.11.0 (2020-07-21)
Added
- [SDK-1560] Allow issuer as url #523 (adamjmcgrath)
- [SDK-1790] use refresh_tokens with multiple audiences #521 (adamjmcgrath)
- [SDK-1650] Add
messageto errors that don't have one #520 (adamjmcgrath)
Fixed
- [SDK-1798] prevent unnecessary token requests #525 (adamjmcgrath)
- [SDK-1789] Add custom initial options to the 2 getToken methods #524 (adamjmcgrath)
v1.10.0 (2020-06-17)
Changed
- [SDK-1696] Allow caller of cache.get to specify an expiry time adjustment #491 (stevehobbsdev)
Fixed
- Don't include mocks in build #503 (adamjmcgrath)
- [SDK-1699] Fix ID token validation for auth_time #497 (stevehobbsdev)
- Add secure attribute to cookies if served over HTTPS #472 (ties-v)
v1.9.0 (2020-06-02)
Added
- [SDK-1695] Add
auth0Clientoption so wrapper libraries can send their own client info #490 (adamjmcgrath) - Add
checkSessionand ignore recoverable errors #482 (adamjmcgrath)
Fixed
- Update docs for returnTo and client_id params on logout #484 (stevehobbsdev)
v1.8.2 (2020-05-26)
Fixed
- [SDK-1640] Allow the client to be constructed in a Node SSR environment #471 (adamjmcgrath)
- [SDK-1634] Pass custom options to the token endpoint #465 (stevehobbsdev)
- [SDK-1649] Fix issue where cache was missed when scope parameter was provided #461 (adamjmcgrath)
v1.8.1 (2020-05-06)
Fixed
- Fix issue with create-react-app webpack build #451 (adamjmcgrath)
v1.8.0 (2020-04-30)
Added
- [SDK-1417] Customizable default scopes #435 (stevehobbsdev)
- include polyfill for Set #426 (tony-aq)
Fixed
- Update rollup-plugin-web-worker-loader to 1.1.1 #443 (stevehobbsdev)
- Updated
login_hintjs docs to clarify usage with Lock #441 (stevehobbsdev)
v1.7.0 (2020-04-15)
Added
- Support for rotating refresh tokens #315 (stevehobbsdev)
- Export types from global TypeScript file. #310 (maxswa)
- Local Storage caching mechanism #303 (stevehobbsdev)
Changed
- Use Web Workers for token endpoint call for in-memory storage #409 (adamjmcgrath)
- Export constructor #385 (adamjmcgrath)
- Fall back to iframe method if no refresh token is available #364 (stevehobbsdev)
- Removed setTimeout cache removal in favour of removal-on-read #354 (stevehobbsdev)
- Stop checking
isAuthenticatedcookie on initialization when using local storage #352 (stevehobbsdev) - getTokenSilently retry logic #336 (stevehobbsdev)
- Fixed issue with cache not retaining refresh token #333 (stevehobbsdev)
Fixed
- Check if source of event exists before closing it #410 (gerritdeperrit)
- Check if iframe is still in body before removing #399 (paulfalgout)
- Fix typings to allow custom claims in ID token #386 (picosam)
- Fix error in library type definitions #367 (devoto13)
Security
- Dependency upgrade #405 (stevehobbsdev)
v1.7.0-beta.5 (2020-03-26)
Changed
- [SDK-1379] Export constructor #385 (adamjmcgrath)
v1.7.0-beta.4 (2020-03-03)
Changed
- [SDK-1386] Fall back to iframe method if no refresh token is available #364 (stevehobbsdev)
Fixed
v1.7.0-beta.3 (2020-02-17)
Added
Changed
- [SDK-1352] Removed setTimeout cache removal in favour of removal-on-read #354 (stevehobbsdev)
- [SDK-1352] Stop checking
isAuthenticatedcookie on initialization when using local storage #352 (stevehobbsdev) - [SDK-1279] getTokenSilently retry logic #336 (stevehobbsdev)
v1.7.0-beta.2 (2020-01-16)
Changed
- Fixed issue with cache not retaining refresh token #333 (stevehobbsdev)
v1.7.0-beta.1 (2020-01-08)
Added
- Ability to use either an in-memory cache (the default) or localstorage to store tokens - stevehobbsdev - #303
- Added support for rotating refresh tokens - stevehobbsdev - #315
v1.6.5 (2020-03-19)
Changed
- [SDK-1395] Refactor loginWithPopup to optionally accept an existing popup window #368 (stevehobbsdev)
- handleRedirectCallback wont pass redirect_uri undefined if not set in transaction #374 (albertlockett)
- Update dependencies within semver ranges #371 (stevehobbsdev)
- [SDK-1099] Add
localOnlylogout option #362 (adamjmcgrath) - center popup over owner window #356 (ggascoigne)
Fixed
- [SDK-1127] Delay removal of iframe to prevent Chrome hanging status bug #240 #376 (adamjmcgrath)
- [SDK-1125] createAuth0Client now throws errors that are not login_required #369 (stevehobbsdev)
v1.6.4 (2020-02-10)
Changed
- [SDK-1308] Return appState value on error from handleRedirectCallback #348 (stevehobbsdev)
- Configurable timeout for getTokenSilently() #347 (Serjlee)
v1.6.3 (2020-01-28)
Fixed
- Send same redirect_uri as /authorize to /token #341 (stevehobbsdev)
- No longer acquires a browser lock if there was a hit on the cache #339 (stevehobbsdev)
- Use user provided params on silent login #318 (nkete)
v1.6.2 (2020-01-13)
Removed
Removed future issued-at claim check stevehobbsdev - #329
v1.6.1 (2020-01-07)
Fixed
Included core-js polyfill for String.includes to fix an issue with browser-tabs-lock in IE11 stevehobbsdev - #325
Added import definition to Getting Started section in the Readme for clarity thundermiracle - #294
v1.6.0 (2019-11-19)
Added Added buildAuthorizeUrl and url parameter to handleRedirectCallback - austin43 - #280
Fixed Released browser lock on getTokenSilently error - #276 Updates browser-tabs-lock to fix issue of long acquired lock - super-tokens - https://github.com/auth0/auth0-spa-js/commit/3413e30bdb5955c818989cdc050079fa6efb6050
v1.5.0 (2019-10-31)
Added Add a new property 'fragment' to be appended to the authorize URL on redirect - #249
v1.4.2 (2019-10-30)
Fixed Update typescript definition for max_age param - #260 Fix for typings files in packaged SDK - #263
v1.4.1 (2019-10-30)
Fixed Updated types path in package.json #261
v1.4.0 (2019-10-30)
Added
Add 'lock' to prevent getTokenSilently to be invoked in parallel #238
Improved OIDC compliance #248
Fixed
Fix for race condition when using sha256 on IE11 #252
Fixed the codeowners file with the correct group #253
Document leeway default value #256
Clear transaction data on error #254
v1.3.2 (2019-10-17)
Fixed
parseQueryString now removes hash fragment on query before parsing #246
v1.3.1 (2019-10-14)
Fixed Fix IE msCrypto.subtle usage #242
v1.3.0 (2019-10-10)
Fixed Add missing char for nonce/state generation #230 Fix query parsing when using hash routing #231 Fix safari10 initialization error #232
Changed Add early expiration of Access Token in cache #233
v1.2.4 (2019-09-24)
Fixed
Fix empty PKCE code challenge #221
v1.2.3 (2019-09-02)
Fixed
Fix incorrect state extraction from query string #197
v1.2.2 (2019-08-28)
Fixed
Fix SSR errors with fetch polyfill usage #184
v1.2.1 (2019-08-27)
Fixed
Replace promise polyfill for a pure one. This fixes using this library with zone.js. #180
v1.2.0 (2019-08-26)
Fixed
- Expose raw id_token in the getIdTokenClaims method #175
- Fix bug where oauth/token call ignores
options.audience#134
Added
v1.1.1 (2019-07-22)
Fixed
- Make sure the production bundle is ES5 compatible. #98
v1.1.0 (2019-07-15)
Changed
- Allow redirect_uri override in loginWithRedirect - #66
- Make options argument for popup and redirect optional - #61
- Mark redirect_uri optional in RedirectLoginOptions - #53
v1.0.2 (2019-07-02)
Changed
- Add polyfill for TextEncoder - #46
v1.0.1 (2019-06-24)
Changed
- Reduce transaction cookie size - #32
v1.0.0 (2019-06-19)
Initial Release