- #1136 Fixes typo in security question enrollment
- #1113 Updates types for
SigninWithCredentialsOptions
andSignInOptions
to supportSP Initiated Auth
- #1125 IDX - Supports auto select methodType (when only one selection is available) for
authenticator-verification-data
remediation - #1114 Exposes ESM node bundle
- #1114 Fixes ESM browser bundle issue by only using ESM
import
syntax
- #1130
state
now stored in session during verifyEmail flow
- #1124
- Adds multi-tab "leadership" election to prevent all tabs from renewing tokens at the same time
- Adds granular configurations for
autoRenew
(active vs passive) - Adds options to
isAuthenticated
to override client configuration - Fixes issue in token renew logic within
isAuthenticated
, tokens are now read fromtokenManager
(not memory) before expiration is checked
- #1036 Adds
webauthn
authenticator support in idx module - #1075 Adds top level
invokeApiMethod
method as an escape hatch to make arbitrary OKTA API request - #1093 Allows passing device context headers (
X-Forwarded-For
,User-Agent
,X-Okta-User-Agent-Extended
andX-Device-Token
) toidx.interact
. Follow setHeaders section to add headers to http requests.
- #1071 TypeScript: Adds fields for
Input
type in NextStep object - #1094 TypeScript: Fixes
SigninOptions.context
type - #1092 Call
updateAuthState
whenhandleLoginRedirect
fails
- #1073 Upgrades
cross-fetch
to resolve security vulnerability
- #1003 Supports generic UserClaims type. Custom claims should be extended by typescript generics, like
UserClaims<{ groups: string[]; }>
- #1050 Removes
userAgent
field from oktaAuth instance - #1014 Shared transaction storage is automatically cleared on success and error states. Storage is not cleared for "terminal" state which is neither success nor error.
- #1051 Removes
useMultipleCookies
from CookieStorage options - #1059
- Removes signOut option
clearTokensAfterRedirect
- Adds signOut option
clearTokensBeforeRedirect
(default:false
) to remove local tokens before logout redirect happen
- Removes signOut option
- #1057 Strict checks are now enabled in the Typescript compiler options. Some type signatures have been changed to match current behavior.
- #1062
- Authn method
introspect
is renamed tointrospectAuthn
(still callable astx.introspect
) IdxFeature
enum is now defined as strings instead of numbers
- Authn method
- #1014 Updates IDX API to support email verify and recovery/activation
- adds new configuration options
recoveryToken
andactivationToken
- email verify callback:
- adds support for passing
otp
to idx pipeline - updates samples to display error message with OTP code
- adds support for passing
- idx methods support new options:
exchangeCodeForTokens
. If false,interactionCode
will be returned on the transaction at the end of the flow instead oftokens
.autoRemediate
. If false, there will be no attempt to satisfy remediations even if values have been passed.
- TransactionManager supports new option:
saveLastResponse
. If false, IDX responses will not be cached.
- adds new configuration options
- #1062
- All IDX methods are exported.
useInteractionCodeFlow
defaults totrue
for sample and test apps.
- #1064 Supports skip authenticator in idx authentication flow
- #1054 Fixes Typescript build error
- #1010 Supports
clearPendingRemoveTokens
option insignOut
method. This option can be used to avoid cross tabs sign out issue with Okta's downstream client SDK'sSecureRoute
component - #1035 Adds
security question
authenticator support in idx module
- #1028 Any error caught in
token.renew()
will be emitted and containtokenKey
property - #1027 Don't reject
isAuthenticated()
because of failed token renewal - #1032 Fixes idx recover password flow with identifier first org policy
- #1048 Points browser field to UMD bundle
- #1021 Removes
type
field in package.json. As okta-auth-js includes multiple bundles (cjs, esm, umd) in the package, explicittype
field causes error for some type of bundlers. This change fixes issue with @angular/cli.
- #1004 Allows extra query parameters to be added to the
authorize
url
- #1000
- Fixes broken ES module bundle
- Updates
browser
field inpackage.json
to enable bundlers to use the ES module bundle by default
- #1005
- Handles
rememberMe
boolean in IDX Identify remediation adapter - Typescript: Adds
type
field forInput
type in NextStep object
- Handles
- #1012 Fixes null access when crypto is not present
- #990 Supports email verify callback
- #988 Fixes Safari & Firefox browsers block
getWithPopup
issue - #995 Sends cookie for
authn
related requests - #985 Fixes issue with renewTokens that would drop scopes passed to
getToken
- #981 TypeScript: Allows optional paramters for IDX methods
- #986 TypeScript: Interface
SignInWithRedirectOptions
should extendTokenParams
- #992 TypeScript: Adds fields for
Input
type in NextStep object - #997 Validates
scopes
config param is anarray
- #963
- Adds
getPreviousAuthState
method toAuthStateManager
- Allows null type for authState related methods / fields
- Adds
- #948 Adds
Google Authenticator
support in idx module
- #947 TypeScript: Allow custom keys in
AuthState
interface
- #967 Throw error in
parseFromUrl
if can't load transaction meta
- #933 Adds
ignoreLifetime
option to disable token lifetime validation - #932 Adds
headers
with response headers to all responses
- #936 Fixes getting mutiple memory storages issue in browser environment
- #926 Fixes incorrect using of
tokenManager
config (optionsautoRenew
,autoRemove
) inOktaAuth.isAuthenticated
. - #931 Fixes types compatibility issue with old typescript versions (< 3.8)
- #930 Fixes incorrect error message in idx
AuthTransaction
when user is not assigned.
- #927 Not trigger
authStateManager.updateAuthState
during login redirect instart
method.
- #916 Removes misleading warning message for TokenManager methods
- #908 Enables dynamic attributes for profile enrollment
- #906
- Checks idToken integrity during token auto renew process
- Enables emitting
renewed
event forTokenManager.setTokens
method - Exposes
crypto
util module
- #893 Fixes MFA keep returning
MFA_REQUIRED
status
- #891 Adds new method
http.setRequestHeader
- #853 Updates
token.parseFromUrl
signature (adds optional parameter)
- #873 Fixes AuthStateManager emitting inconsistence
isAuthenticated
state during active token auto renew by only checking existence of both tokens from storage
- #862 Fixes issue with untranspiled
class
keyword - #858 Fixes issue with verifying tokens when using a proxied issuer
- #845 Fixes issue with renewing using refresh tokens
- #831 Calculates ID token expiry time based on local clock
- #832 Supports rotating refresh tokens
- #838
idx.recoverPassword
- checks if flow is supported
- #832 Fixes issues with refresh tokens
- #839 Fixes
@okta/okta-idx-js
missing core-js dependency. - #844 Fixes ES module includes
SDK_VERSION
placeholder issue
- #839
- Moves
tsd
from dependencies to devDependencies - Reduces bundles size by upgrading
@okta/okta-idx-js
to 0.18.0 (replacedjsonpath
withjsonpath-plus
) - Reduces bundles size by removing unnecessary license banner
- Moves
- #808 Fixes CommonJS bundle missing crypto modules issue
- #730
updateAuthState
returns a Promise. - Adds
idx
module. See details in IDX README.md
- #807 Fixes CommonJS bundle missing crypto modules issue
- #742 Fixes an issue where storage was being incorrectly cleared after an IDP redirect
- #731 Fixes issue with
handleLoginRedirect
where a redirect could occur after an exception was thrown.
- #742 Fixes an issue where storage was being incorrectly cleared after an IDP redirect
- #731 Fixes issue with
handleLoginRedirect
where a redirect could occur after an exception was thrown.
- #694 Adds
cookies.sessionCookie
option
- #689 New methods
start
andstop
are added to controlOktaAuth
as a service. - #515 Removes
token.value
field - #540 Locks
tokenManager.expireEarlySeconds
option with the default value (30s) for non-dev environment - #677 Http requests will not send cookies by default
- #678 Default value for
originalUri
is null. - #706 Removes
isPending
fromAuthState
- #675 Removes warning when calling
updateAuthState
when there are no subscribers - #706 calling
isAuthenticated
will renew expired tokens whenautoRenew
is true
- #656 Fixes
TokenManager.renew
to renew only requested token
- #656 Adds
token.renewTokensWithRefresh
- #652 Accepts 'state' as a constructor option
- #646 Fixes validate token using issuer from well-known config
- #648 Updates widget to 5.4.2
- #653 Removes isLoginRedirect check in oidc logic
- #661 Upgrades node-cache to 5.1.2
- #638 Fixes an issue with revoking refresh tokens
- #632 Fixes an issue with renewing refresh tokens
- #616 Fixes issue with
fetch
on IE Edge versions 14-17.
- #627 Fixes an issue with Typescript and
StorageManagerOptions
- #620 Adds support for
interaction_code
anderror=interaction_required
on redirect callback - #604 Adds new utility objects:
storageManager
andtransactionManager
- #614 Fixes issue with renewTokens and implicit flow: get responseType value from SDK configuration
- #594 Adds
@babel/runtime
to dependencies list. - #572 Add idps options for Signin widget flow in samples
- #565 Adds support for widget version and interaction code to test app and samples
- #616 Fixes issue with
fetch
on IE Edge versions 14-17.
- #585 Uses native fetch, if available
- #583 Better error handling for redirect flows: if redirect URI contains
error
orerror_description
thenisLoginRedirect
will return true andparseFromUrl
will throwOAuthError
- #579 Removes overeager
catch
when using refresh token
- #567 Adds new methods:
token.prepareTokenParams
token.exchangeCodeForTokens
pkce.generateVerifier
pkce.computeChallenge
and constant:pkce.DEFAULT_CODE_CHALLENGE_METHOD
This API allows more control over thePKCE
authorization flow and is enabled for both browser and nodeJS.
- #554 Adds MFA types
- #518 Added
claims
toAccessToken
- Adding the ability to use refresh tokens with single page applications (SPA) (Early Access feature - reach out to our support team)
scopes
configuration option now handles 'offline_access' as an option, which will use refresh tokens IF your client app is configured to do so in the Okta settings- If you already have tokens (from a separate instance of auth-js or the okta-signin-widget) those tokens must already include a refresh token and have the 'offline_access' scope
- 'offline_access' is not requested by default. Anyone using the default
scopes
and wishing to add 'offline_access' should passscopes: ['openid', 'email', 'offline_access']
to their constructor
renewTokens()
will now use an XHR call to replace tokens if the app has a refresh token. This does not rely on "3rd party cookies"- The
autoRenew
option (defaults totrue
) already callsrenewTokens()
shortly before tokens expire. TheautoRenew
feature will now automatically make use of the refresh token if present
- The
signOut()
now revokes the refresh token (if present) by default, which in turn will revoke all tokens minted with that refresh token- The revoke calls by
signOut()
follow the existingrevokeAccessToken
parameter - whentrue
(the default) any refreshToken will be also be revoked, and whenfalse
, any tokens are not explicitly revoked. This parameter name becomes slightly misleading (as it controls both access AND refresh token revocation) and will change in a future version.
- The revoke calls by
- #541 Fixes type error in
VerifyRecoveryTokenOptions
- #535 Respects
scopes
that are set in the constructor
- #869
- Implements
AuthStateManager
to evaluate and emit latest authState. Exposes new methods fromAuthStateManager
:authStateManager.getAuthState
authStateManager.updateAuthState
authStateManager.subscribe
authStateManager.unsubscribe
- Adds new methods in sdk browser scope:
sdk.signInWithCredentials
sdk.signInWithRedirect
sdk.isAuthenticated
sdk.getUser
sdk.getIdToken
sdk.getAccessToken
sdk.storeTokensFromRedirect
sdk.setOriginalUri
sdk.getOriginalUri
sdk.removeOriginalUri
sdk.isLoginRedirect
sdk.handleLoginRedirect
- Deprecates method in sdk browser scope:
sdk.signIn
- Adds new methods in
sdk.tokenManager
:tokenManager.getTokens
tokenManager.setTokens
- Accepts new options
transformAuthState
restoreOriginalUri
autoRemove
devMode
- Implements
- #469 Adds "rate limiting" logic to token autoRenew process to prevent too many requests be sent out which may cause application rate limit issue.
- #503 Supports relative uri for options.redirectUri
- #478 Adds cross tabs communication to sync
AuthState
. - #525 Adds new methods
hasResponseType
,isPKCE
,isAuthorizationCodeFlow
. The optionresponseType
is now accepted in the constructor.
- #468 Fixes issue where HTTP headers with an undefined value were being sent with the value "undefined". These headers are now removed before the request is sent.
- #514 Fixes OAuth redirect params issue in legacy browsers.
- #468 Fixes issue where HTTP headers with an undefined value were being sent with the value "undefined". These headers are now removed before the request is sent.
- #514 Fixes OAuth redirect params issue in legacy browsers.
- #520 token.isLoginRedirect will check that current URL matches the redirectUri
-
#491 Fixes issue with OAuth param cookie when using self-hosted signin widget
-
#489 Fixes sameSite cookie setting when running on HTTP connection
- #473 Fixes login issue when cookies are blocked or used as shared state storage
- #413 Adds support for Typescript. Uses named exports instead of default export.
- #444 New method
tokenManager.hasExpired
to test if a token is expired
- #444
- Implements "active" autoRenew. Previously tokens would be renewed or removed when calling
tokenManager.get
. Now they will be renewed or removed in the background. If autoRenew is true, tokens will be renewed before expiration. If autoRenew is false, tokens will be removed from storage on expiration. onSessionExpired
option has been removed. TokenManager events can be used to detect and handle token renewal errors.tokenManager.get
no longer implements autoRenew functionality (autoRenew is done by a separate process withinTokenManager
). Even withautoRenew
, it is possible that the token returned from the TokenManager may be expired, since renewal is an asynchronous process. New methodtokenManager.hasExpired
can be used to test the token and avoid this potential race condition.
- Implements "active" autoRenew. Previously tokens would be renewed or removed when calling
- #522 Fixes
token.isLoginRedirect
issue withcode
query params in url - #517 Fixes OAuth redirect params issue in legacy browsers
-
#491 Fixes issue with OAuth param cookie when using self-hosted signin widget
-
#489 Fixes sameSite cookie setting when running on HTTP connection
- #473 Fixes login issue when cookies are blocked or used as shared state storage
- #440 Fixes signOut XHR fallback to reload page only if postLogoutRedirectUri matches the current URI
- #445 Clears access token from storage after token revocation
- #422 Fixes revoke accessToken in signOut method
- #441 Fixes issue involving an "invalid grant" error: "PKCE verification failed."
- #431 Skips non parsable iframe messages for
sdk.fingerprint
-#408 Provides a polyfill for IE 11+
-#410 Add token.isLoginRedirect
function to prevent app from starting new Oauth flow while already in OAuth callback state.
-
#400 Allows an accessToken to be retrieved without an idToken. Also allows retrieving "default" scopes as defined by the custom authorization server.
-
#402 Fixes tokenManager cookie storage size limitation issue by store tokens in separated cookies.
-
#395 Prevents concurrent use of token API methods such as
getWithoutPrompt
,getWithRedirect
orgetWithPopup
within a single running instance. These methods will be executed within a queue to ensure that they complete sequentially. This fix only affects a single instance. If there are several instances running (for example, in multiple tabs) it is still possible for token API methods to be executing concurrently. -
#399 Fixes an error involving PKCE flow and the signin widget.
- #384 Shifts browser storage for ephemeral PKCE code challenge to default to sessionStorage before localStorage or cookies.
- This should reduce problems with multiple tabs making overlapping requests to renew tokens.
- #386 Fixes
token.verify
:validationParams
should be optional.
- #369
-
Will reject with error if PKCE is enabled but not supported when OIDC flow is initiated. Previously this check was done in the constructor and affected non-OIDC flows
-
Will print a console warning and disable secure cookies if cookies.secure is enabled on an HTTP connection. Previously this would throw in the constructor.
-
- #363
- Expose server bundle for React Native platform as an Authentication SDK.
- Handle userAgent customization with newly added userAgent field in config.
-
#354 - Omit cookies from API requests. Removes warning messages in latest version of Chrome.
-
#355 - Fix for authorization_code flow for non-SPA applications (when responseType=code and pkce=false). The code can be retrieved client-side using
parseFromUrl()
without throwing an error.
New option cookies
allows overriding default secure
and sameSite
values.
-
#308 - Removed
jquery
andreqwest
httpRequesters -
#309 - Removed
Q
library, now using standard Promise. IE11 will require a polyfill for thePromise
object. Use ofPromise.prototype.finally
requires Node > 10.3 for server-side use. -
#310 - New behavior for signOut()
postLogoutRedirectUri
will default towindow.location.origin
- signOut() will revoke access token and perform redirect by default. Fallback to XHR closeSession() if no idToken.
- New method closeSession() for XHR signout without redirect or reload.
- New method revokeAccessToken()
-
#311 - parseFromUrl() now returns tokens in an object hash (instead of array). The
state
parameter (passed to authorize request) is also returned. -
#313 - An HTTPS origin will be enforced unless running on
http://localhost
orcookies.secure
is set tofalse
-
#316 - Option
issuer
is required. Optionurl
has been deprecated and is no longer used. -
#317 -
pkce
option is nowtrue
by default.grantType
option is removed. -
#320 -
getWithRedirect
,getWithPopup
, andgetWithoutPrompt
previously took 2 sets of option objects as parameters, a set of "oauthOptions" and additional options. These methods now take a single options object which can hold all available options. Passing a second options object will cause an exception to be thrown. -
- Default responseType when using implicit flow is now
['token', 'id_token']
. - When both access token and id token are returned, the id token's
at_hash
claim will be validated against the access token
- Default responseType when using implicit flow is now
-
#325 - Previously, the default
responseMode
for PKCE was"fragment"
. It is now"query"
. Unless explicitly specified using theresponseMode
option, theresponse_mode
parameter is no longer passed bytoken.getWithRedirect
to the/authorize
endpoint. Theresponse_mode
will be set by the backend according to the OpenID specification. Implicit flow will use"fragment"
and PKCE will use"query"
. If previous behavior is desired, PKCE can set theresponseMode
option to"fragment"
. -
#329 - Fix internal fetch implementation.
responseText
will always be a string, regardless of headers or response type. If a JSON object was returned, the object will be returned asresponseJSON
andresponseType
will be set to "json". Invalid/malformed JSON server response will no longer throw a raw TypeError but will return a well structured error response which includes thestatus
code returned from the server.
-
#306 - Now using babel for ES5 compatibility. All polyfills have been removed.
-
#312 - Added an E2E test for server-side authentication (node module, not webpack).
-#338 - (Fix for Chrome 80) Setting 'Secure' on cookies if running on HTTPS. Setting 'SameSite=Lax' on cookies if running on HTTP. TokenManager (if using cookie storage) will retain previous behavior, setting 'SameSite=Lax' in all cases unless tokenManager.secure
is set to true
via config.
- #334 - Setting 'SameSite=none' for all cookies (Fix for iFrame)
- #324 - Support
responseMode: "query"
option for SPA apps using PKCE flow
- #315
getWellKnown
was using base url over issuer. Method has been fixed to use issuer, if configured, and will fallback to base url - #319 - Setting 'SameSite=lax' for all cookies (Fix for Firefox/Safari)
- #304 - Will set a 'SameSite' value on all cookies set by this SDK
- Cookies intended for server-side use will be set to 'Lax', cookies intended for client-side use will be set to 'Strict'
- #271 - New option
onSessionExpired
- #293 - Copy markdown files to package directory during publish
- #288 - New options for
signOut
:- Can provide a post-logout redirect URI.
- Can revoke access token
- #288 - calling
signOut
will clear the TokenManager. - #284 -
isPKCESupported
will return false ifTextEncoder
is not available (IE Edge).
- #284 - better error messages when attempting to use PKCE in an unsupported browser configuration.
- Fixes incorrect npm publish of previous version
- #266 - New storage options for TokenManager
- #265 - Fix for popup blockers
- #256 - Adds E2E tests, updates test app
- #249 - Convert to yarn workspace
- #264 - Removed lib/config.js, replaced with lib/constants.js and webpack define
- add5369 Add support to pass callback to poll function
- 541683 Origin mismatch will now cause promise rejection (token renew)
- d9900a TokenManager: return existing promise for concurrent requests
- 77ece4 Clear token on 'AuthSdkError'
- (#238) - Adds pass-thru of optional 'loginHint' and 'idpScopes' params (resolves issue #214)
- (#235) - Option
grantType
has been deprecated and will be removed in 3.0
- (#233) - New option
pkce
-
(#233) The default
responseMode
was incorrectly set tofragment
instead ofquery
when theresponseType
wascode
. This regression was introduced in version2.6.0
. -
747216b fix build process, so that /dist/okta-auth-js.min.js is for browsers (since version 2.2.0, dist/ output was being built for node.js applications, which was not intended)
- d8d2fee TokenManager: new option
expireEarlySeconds
- TokenManager: Re-enables use of custom storage keys
- TokenManager: Document the
maxClockSkew
option
- 0a8a4e1 PKCE support
- TokenManager: tokens were being expired 5 minutes early
- d736cc9 - New TokenManager option to support HTTPS-only "secure" cookies.
- fddec0a - Use
fetch
as the default request agent (instead ofreqwest
).
- #187 - When deprecated
ajaxRequest
was passed to config, the logger for the deprecate message was still using window.console. This fix makes the logger isomorphic.
- #184 - Adds support for calling the AuthN API from Node
- #172 - Fixes an issue where default storage was read-only
- #161 -
ignoreSignature
was not set when redirecting
- Fixed an problem, introduced in 2.0.0, that was causing tokens to be refreshed every time
authClient.tokenManager.get('accessToken')
was called.
-
Token retrieval is now asyncronous to account for automatic token renewal.
// ES2016+ const accessToken = await authClient.tokenManager.get('accessToken'); // Handle as a promise authClient.tokenManager.get('accessToken') .then(function(accessToken) { console.log(accessToken); });
-
Removed the following deprecated methods:
idToken.authorize
idToken.verify
idToken.refresh
idToken.decode
- Clears whitespace around URLs when instantiating the client.
- Infer the
url
from theissuer
to simplify client setup.
- Renames all
refresh
methods on thetoken
andtokenManager
objects torenew
.