CHANGELOG.md

Changelog

3.0.0

Features

New option cookies allows overriding default secure and sameSite values.

Breaking Changes

• #308 - Removed jquery and reqwest httpRequesters

• #309 - Removed Q library, now using standard Promise. IE11 will require a polyfill for the Promise object. Use of Promise.prototype.finally requires Node > 10.3 for server-side use.

• #310 - New behavior for signOut()

  • postLogoutRedirectUri will default to window.location.origin
  • signOut() will revoke access token and perform redirect by default. Fallback to XHR closeSession() if no idToken.
  • New method closeSession() for XHR signout without redirect or reload.
  • New method revokeAccessToken()

• #311 - parseFromUrl() now returns tokens in an object hash (instead of array). The state parameter (passed to authorize request) is also returned.

• #313 - An HTTPS origin will be enforced unless running on http://localhost or cookies.secure is set to false

• #316 - Option issuer is required. Option url has been deprecated and is no longer used.

• #317 - pkce option is now true by default. grantType option is removed.

• #320 - getWithRedirect, getWithPopup, and getWithoutPrompt previously took 2 sets of option objects as parameters, a set of "oauthOptions" and additional options. These methods now take a single options object which can hold all available options. Passing a second options object will cause an exception to be thrown.

• #321

  • Default responseType when using implicit flow is now ['token', 'id_token'].
  • When both access token and id token are returned, the id token's at_hash claim will be validated against the access token

• #325 - Previously, the default responseMode for PKCE was "fragment". It is now "query". Unless explicitly specified using the responseMode option, the response_mode parameter is no longer passed by token.getWithRedirect to the /authorize endpoint. The response_mode will be set by the backend according to the OpenID specification. Implicit flow will use "fragment" and PKCE will use "query". If previous behavior is desired, PKCE can set the responseMode option to "fragment".

• #329 - Fix internal fetch implementation. responseText will always be a string, regardless of headers or response type. If a JSON object was returned, the object will be returned as responseJSON and responseType will be set to "json". Invalid/malformed JSON server response will no longer throw a raw TypeError but will return a well structured error response which includes the status code returned from the server.

Other

• #306 - Now using babel for ES5 compatibility. All polyfills have been removed.

• #312 - Added an E2E test for server-side authentication (node module, not webpack).

2.13.2

Bug Fixes

-#338 - (Fix for Chrome 80) Setting 'Secure' on cookies if running on HTTPS. Setting 'SameSite=Lax' on cookies if running on HTTP. TokenManager (if using cookie storage) will retain previous behavior, setting 'SameSite=Lax' in all cases unless tokenManager.secure is set to true via config.

2.13.1

Bug Fixes

• #334 - Setting 'SameSite=none' for all cookies (Fix for iFrame)

2.13.0

Features

• #324 - Support responseMode: "query" option for SPA apps using PKCE flow

2.12.1

Bug Fixes

• #315getWellKnown was using base url over issuer. Method has been fixed to use issuer, if configured, and will fallback to base url
• #319 - Setting 'SameSite=lax' for all cookies (Fix for Firefox/Safari)

2.12.0

Features

• #304 - Will set a 'SameSite' value on all cookies set by this SDK
  • Cookies intended for server-side use will be set to 'Lax', cookies intended for client-side use will be set to 'Strict'

2.11.2

Features

• #271 - New option onSessionExpired

2.11.1

Other

• #293 - Copy markdown files to package directory during publish

2.11.0

Features

• #288 - New options for signOut:
  • Can provide a post-logout redirect URI.
  • Can revoke access token

Bug Fixes

• #288 - calling signOut will clear the TokenManager.
• #284 - isPKCESupported will return false if TextEncoder is not available (IE Edge).

Other

• #284 - better error messages when attempting to use PKCE in an unsupported browser configuration.

2.10.1

Other

• Fixes incorrect npm publish of previous version

2.10.0

Features

• #266 - New storage options for TokenManager

Bug Fixes

• #265 - Fix for popup blockers

Other

• #256 - Adds E2E tests, updates test app
• #249 - Convert to yarn workspace
• #264 - Removed lib/config.js, replaced with lib/constants.js and webpack define

2.9.0

Features

• add5369 Add support to pass callback to poll function

Bug Fixes

• 541683 Origin mismatch will now cause promise rejection (token renew)
• d9900a TokenManager: return existing promise for concurrent requests
• 77ece4 Clear token on 'AuthSdkError'

2.7.0

Features

• (#238) - Adds pass-thru of optional 'loginHint' and 'idpScopes' params (resolves issue #214)

2.6.3

Other

• (#235) - Option grantType has been deprecated and will be removed in 3.0

2.6.2

Features

• (#233) - New option pkce

Bug Fixes

• (#233) The default responseMode was incorrectly set to fragment instead of query when the responseType was code. This regression was introduced in version 2.6.0.

• 747216b fix build process, so that /dist/okta-auth-js.min.js is for browsers (since version 2.2.0, dist/ output was being built for node.js applications, which was not intended)

2.6.1

Features

• d8d2fee TokenManager: new option expireEarlySeconds

Bug Fixes

• TokenManager: Re-enables use of custom storage keys

Other

• TokenManager: Document the maxClockSkew option

2.6.0

Features

• 0a8a4e1 PKCE support

Bug Fixes

• TokenManager: tokens were being expired 5 minutes early

2.5.0

Features

• d736cc9 - New TokenManager option to support HTTPS-only "secure" cookies.

Other

• fddec0a - Use fetch as the default request agent (instead of reqwest).

2.3.1

Bug Fixes

• #187 - When deprecated ajaxRequest was passed to config, the logger for the deprecate message was still using window.console. This fix makes the logger isomorphic.

2.3.0

Features

• #184 - Adds support for calling the AuthN API from Node

2.2.0

Bug Fixes

• #178 - Resolves an issue introduced with #171 causing the silent login flow to throw errors

2.1.0

Bug Fixes

• #172 - Fixes an issue where default storage was read-only
• #161 - ignoreSignature was not set when redirecting

Other

• #171 - Scrub null/undefined values from authorize requests
• #162 - Update dependencies

2.0.1

Bug Fixes

• Fixed an problem, introduced in 2.0.0, that was causing tokens to be refreshed every time authClient.tokenManager.get('accessToken') was called.

2.0.0

Breaking Changes

• Token retrieval is now asyncronous to account for automatic token renewal.

  // ES2016+
  const accessToken = await authClient.tokenManager.get('accessToken');
  
  // Handle as a promise
  authClient.tokenManager.get('accessToken')
  .then(function(accessToken) {
    console.log(accessToken);
  });

• Removed the following deprecated methods:

  • idToken.authorize
  • idToken.verify
  • idToken.refresh
  • idToken.decode

Features

• Clears whitespace around URLs when instantiating the client.
• Infer the url from the issuer to simplify client setup.

Other

• Renames all refresh methods on the token and tokenManager objects to renew.