Skip to content

Latest commit

 

History

History
879 lines (534 loc) · 38.1 KB

CHANGELOG.md

File metadata and controls

879 lines (534 loc) · 38.1 KB

Changelog

6.3.0

Fixes

  • #1136 Fixes typo in security question enrollment

6.2.0

Features

  • #1113 Updates types for SigninWithCredentialsOptions and SignInOptions to support SP Initiated Auth
  • #1125 IDX - Supports auto select methodType (when only one selection is available) for authenticator-verification-data remediation
  • #1114 Exposes ESM node bundle

Fixes

  • #1114 Fixes ESM browser bundle issue by only using ESM import syntax

Fixes

  • #1130 state now stored in session during verifyEmail flow

Other

  • #1124
    • Adds multi-tab "leadership" election to prevent all tabs from renewing tokens at the same time
    • Adds granular configurations for autoRenew (active vs passive)
    • Adds options to isAuthenticated to override client configuration
    • Fixes issue in token renew logic within isAuthenticated, tokens are now read from tokenManager (not memory) before expiration is checked

6.1.0

Features

  • #1036 Adds webauthn authenticator support in idx module
  • #1075 Adds top level invokeApiMethod method as an escape hatch to make arbitrary OKTA API request
  • #1093 Allows passing device context headers (X-Forwarded-For, User-Agent, X-Okta-User-Agent-Extended and X-Device-Token) to idx.interact. Follow setHeaders section to add headers to http requests.

Fixes

  • #1071 TypeScript: Adds fields for Input type in NextStep object
  • #1094 TypeScript: Fixes SigninOptions.context type
  • #1092 Call updateAuthState when handleLoginRedirect fails

Other

  • #1073 Upgrades cross-fetch to resolve security vulnerability

6.0.0

Breaking Changes

  • #1003 Supports generic UserClaims type. Custom claims should be extended by typescript generics, like UserClaims<{ groups: string[]; }>
  • #1050 Removes userAgent field from oktaAuth instance
  • #1014 Shared transaction storage is automatically cleared on success and error states. Storage is not cleared for "terminal" state which is neither success nor error.
  • #1051 Removes useMultipleCookies from CookieStorage options
  • #1059
    • Removes signOut option clearTokensAfterRedirect
    • Adds signOut option clearTokensBeforeRedirect (default: false) to remove local tokens before logout redirect happen
  • #1057 Strict checks are now enabled in the Typescript compiler options. Some type signatures have been changed to match current behavior.
  • #1062
    • Authn method introspect is renamed to introspectAuthn (still callable as tx.introspect)
    • IdxFeature enum is now defined as strings instead of numbers

Features

  • #1014 Updates IDX API to support email verify and recovery/activation
    • adds new configuration options recoveryToken and activationToken
    • email verify callback:
      • adds support for passing otp to idx pipeline
      • updates samples to display error message with OTP code
    • idx methods support new options:
      • exchangeCodeForTokens. If false, interactionCode will be returned on the transaction at the end of the flow instead of tokens.
      • autoRemediate. If false, there will be no attempt to satisfy remediations even if values have been passed.
    • TransactionManager supports new option:
      • saveLastResponse. If false, IDX responses will not be cached.
  • #1062
    • All IDX methods are exported.
    • useInteractionCodeFlow defaults to true for sample and test apps.

5.11.0

  • #1064 Supports skip authenticator in idx authentication flow

5.10.1

Fixes

  • #1054 Fixes Typescript build error

5.10.0

Features

  • #1010 Supports clearPendingRemoveTokens option in signOut method. This option can be used to avoid cross tabs sign out issue with Okta's downstream client SDK's SecureRoute component
  • #1035 Adds security question authenticator support in idx module

Fixes

  • #1028 Any error caught in token.renew() will be emitted and contain tokenKey property
  • #1027 Don't reject isAuthenticated() because of failed token renewal
  • #1032 Fixes idx recover password flow with identifier first org policy
  • #1048 Points browser field to UMD bundle

5.9.1

Other

  • #1021 Removes type field in package.json. As okta-auth-js includes multiple bundles (cjs, esm, umd) in the package, explicit type field causes error for some type of bundlers. This change fixes issue with @angular/cli.

5.9.0

Features

  • #1004 Allows extra query parameters to be added to the authorize url

Other

  • #1000
    • Fixes broken ES module bundle
    • Updates browser field in package.json to enable bundlers to use the ES module bundle by default

Fixes

  • #1005
    • Handles rememberMe boolean in IDX Identify remediation adapter
    • Typescript: Adds type field for Input type in NextStep object
  • #1012 Fixes null access when crypto is not present

5.8.0

Features

  • #990 Supports email verify callback

5.7.0

Features

  • #983 Adds new method setHeaders
  • #990 Supports email verify callback

Fixes

  • #988 Fixes Safari & Firefox browsers block getWithPopup issue
  • #995 Sends cookie for authn related requests
  • #985 Fixes issue with renewTokens that would drop scopes passed to getToken

Other

  • #981 TypeScript: Allows optional paramters for IDX methods
  • #986 TypeScript: Interface SignInWithRedirectOptions should extend TokenParams
  • #992 TypeScript: Adds fields for Input type in NextStep object
  • #997 Validates scopes config param is an array

5.6.0

Features

  • #963
    • Adds getPreviousAuthState method to AuthStateManager
    • Allows null type for authState related methods / fields
  • #948 Adds Google Authenticator support in idx module

Other

  • #947 TypeScript: Allow custom keys in AuthState interface

Bug Fixes

  • #967 Throw error in parseFromUrl if can't load transaction meta

5.5.0

Features

  • #933 Adds ignoreLifetime option to disable token lifetime validation
  • #932 Adds headers with response headers to all responses

Bug Fixes

  • #936 Fixes getting mutiple memory storages issue in browser environment

5.4.3

Bug Fixes

  • #926 Fixes incorrect using of tokenManager config (options autoRenew, autoRemove) in OktaAuth.isAuthenticated.
  • #931 Fixes types compatibility issue with old typescript versions (< 3.8)
  • #930 Fixes incorrect error message in idx AuthTransaction when user is not assigned.

5.4.2

Bug Fixes

  • #927 Not trigger authStateManager.updateAuthState during login redirect in start method.

5.4.1

  • #916 Removes misleading warning message for TokenManager methods

5.4.0

Features

  • #908 Enables dynamic attributes for profile enrollment
  • #906
    • Checks idToken integrity during token auto renew process
    • Enables emitting renewed event for TokenManager.setTokens method
    • Exposes crypto util module

5.3.1

Bug Fixes

  • #893 Fixes MFA keep returning MFA_REQUIRED status

5.3.0

Features

  • #891 Adds new method http.setRequestHeader

Bug Fixes

  • #852 Skips non-successful requests cacheing
  • #883 Resolves state from token.parseFromUrl

Other

  • #853 Updates token.parseFromUrl signature (adds optional parameter)

5.2.3

Bug Fixes

  • #873 Fixes AuthStateManager emitting inconsistence isAuthenticated state during active token auto renew by only checking existence of both tokens from storage

5.2.2

  • #862 Fixes issue with untranspiled class keyword
  • #858 Fixes issue with verifying tokens when using a proxied issuer

5.2.1

  • #845 Fixes issue with renewing using refresh tokens

5.2.0

Features

  • #831 Calculates ID token expiry time based on local clock
  • #832 Supports rotating refresh tokens
  • #838 idx.recoverPassword - checks if flow is supported

Bug Fixes

  • #832 Fixes issues with refresh tokens
  • #839 Fixes @okta/okta-idx-js missing core-js dependency.
  • #844 Fixes ES module includes SDK_VERSION placeholder issue

Other

  • #839
    • Moves tsd from dependencies to devDependencies
    • Reduces bundles size by upgrading @okta/okta-idx-js to 0.18.0 (replaced jsonpath with jsonpath-plus)
    • Reduces bundles size by removing unnecessary license banner

5.1.1

Bug Fixes

  • #808 Fixes CommonJS bundle missing crypto modules issue

5.1.0

Features

  • #730 updateAuthState returns a Promise.
  • Adds idx module. See details in IDX README.md

5.0.3

Bug Fixes

  • #807 Fixes CommonJS bundle missing crypto modules issue

5.0.2

Bug Fixes

  • #742 Fixes an issue where storage was being incorrectly cleared after an IDP redirect

5.0.1

Bug Fixes

  • #731 Fixes issue with handleLoginRedirect where a redirect could occur after an exception was thrown.

4.9.2

Bug Fixes

  • #742 Fixes an issue where storage was being incorrectly cleared after an IDP redirect

4.9.1

Bug Fixes

  • #731 Fixes issue with handleLoginRedirect where a redirect could occur after an exception was thrown.

5.0.0

Features

  • #694 Adds cookies.sessionCookie option

Breaking Changes

  • #689 New methods start and stop are added to control OktaAuth as a service.
  • #515 Removes token.value field
  • #540 Locks tokenManager.expireEarlySeconds option with the default value (30s) for non-dev environment
  • #677 Http requests will not send cookies by default
  • #678 Default value for originalUri is null.
  • #706 Removes isPending from AuthState

Other

  • #675 Removes warning when calling updateAuthState when there are no subscribers
  • #706 calling isAuthenticated will renew expired tokens when autoRenew is true

4.9.0

Bug Fixes

  • #656 Fixes TokenManager.renew to renew only requested token

Features

  • #656 Adds token.renewTokensWithRefresh

4.8.0

Features

  • #652 Accepts 'state' as a constructor option

Bug Fixes

  • #646 Fixes validate token using issuer from well-known config

Other

  • #648 Updates widget to 5.4.2
  • #653 Removes isLoginRedirect check in oidc logic
  • #661 Upgrades node-cache to 5.1.2

4.7.2

Bug Fixes

  • #638 Fixes an issue with revoking refresh tokens
  • #632 Fixes an issue with renewing refresh tokens
  • #616 Fixes issue with fetch on IE Edge versions 14-17.

4.7.1

Bug Fixes

  • #627 Fixes an issue with Typescript and StorageManagerOptions

4.7.0

Features

  • #620 Adds support for interaction_code and error=interaction_required on redirect callback
  • #604 Adds new utility objects: storageManager and transactionManager

Bug Fixes

  • #614 Fixes issue with renewTokens and implicit flow: get responseType value from SDK configuration

Other

  • #594 Adds @babel/runtime to dependencies list.
  • #572 Add idps options for Signin widget flow in samples
  • #565 Adds support for widget version and interaction code to test app and samples

4.6.2

Bug Fixes

  • #616 Fixes issue with fetch on IE Edge versions 14-17.

4.6.1

  • #595 Ports fix for overeager catch when using refresh token originally from #579

4.6.0

Features

  • #585 Uses native fetch, if available

Other

  • #583 Better error handling for redirect flows: if redirect URI contains error or error_description then isLoginRedirect will return true and parseFromUrl will throw OAuthError

4.5.1

Bug Fixes

  • #579 Removes overeager catch when using refresh token

4.5.0

Features

  • #567 Adds new methods:
    • token.prepareTokenParams
    • token.exchangeCodeForTokens
    • pkce.generateVerifier
    • pkce.computeChallenge and constant:
    • pkce.DEFAULT_CODE_CHALLENGE_METHOD This API allows more control over the PKCE authorization flow and is enabled for both browser and nodeJS.

4.4.0

Features

  • #554 Adds MFA types

4.3.0

Features

  • #518 Added claims to AccessToken

4.2.0

Features

  • Adding the ability to use refresh tokens with single page applications (SPA) (Early Access feature - reach out to our support team)
    • scopes configuration option now handles 'offline_access' as an option, which will use refresh tokens IF your client app is configured to do so in the Okta settings
      • If you already have tokens (from a separate instance of auth-js or the okta-signin-widget) those tokens must already include a refresh token and have the 'offline_access' scope
      • 'offline_access' is not requested by default. Anyone using the default scopes and wishing to add 'offline_access' should pass scopes: ['openid', 'email', 'offline_access'] to their constructor
    • renewTokens() will now use an XHR call to replace tokens if the app has a refresh token. This does not rely on "3rd party cookies"
      • The autoRenew option (defaults to true) already calls renewTokens() shortly before tokens expire. The autoRenew feature will now automatically make use of the refresh token if present
    • signOut() now revokes the refresh token (if present) by default, which in turn will revoke all tokens minted with that refresh token
      • The revoke calls by signOut() follow the existing revokeAccessToken parameter - when true (the default) any refreshToken will be also be revoked, and when false, any tokens are not explicitly revoked. This parameter name becomes slightly misleading (as it controls both access AND refresh token revocation) and will change in a future version.

4.1.2

Bug Fixes

  • #541 Fixes type error in VerifyRecoveryTokenOptions

4.1.1

Bug Fixes

  • #535 Respects scopes that are set in the constructor

4.1.0

Features

  • #869
    • Implements AuthStateManager to evaluate and emit latest authState. Exposes new methods from AuthStateManager:
      • authStateManager.getAuthState
      • authStateManager.updateAuthState
      • authStateManager.subscribe
      • authStateManager.unsubscribe
    • Adds new methods in sdk browser scope:
      • sdk.signInWithCredentials
      • sdk.signInWithRedirect
      • sdk.isAuthenticated
      • sdk.getUser
      • sdk.getIdToken
      • sdk.getAccessToken
      • sdk.storeTokensFromRedirect
      • sdk.setOriginalUri
      • sdk.getOriginalUri
      • sdk.removeOriginalUri
      • sdk.isLoginRedirect
      • sdk.handleLoginRedirect
    • Deprecates method in sdk browser scope:
      • sdk.signIn
    • Adds new methods in sdk.tokenManager:
      • tokenManager.getTokens
      • tokenManager.setTokens
    • Accepts new options
      • transformAuthState
      • restoreOriginalUri
      • autoRemove
      • devMode
  • #469 Adds "rate limiting" logic to token autoRenew process to prevent too many requests be sent out which may cause application rate limit issue.
  • #503 Supports relative uri for options.redirectUri
  • #478 Adds cross tabs communication to sync AuthState.
  • #525 Adds new methods hasResponseType, isPKCE, isAuthorizationCodeFlow. The option responseType is now accepted in the constructor.

Bug Fixes

  • #468 Fixes issue where HTTP headers with an undefined value were being sent with the value "undefined". These headers are now removed before the request is sent.
  • #514 Fixes OAuth redirect params issue in legacy browsers.

4.0.3

Bug Fixes

  • #468 Fixes issue where HTTP headers with an undefined value were being sent with the value "undefined". These headers are now removed before the request is sent.
  • #514 Fixes OAuth redirect params issue in legacy browsers.
  • #520 token.isLoginRedirect will check that current URL matches the redirectUri

4.0.2

  • #491 Fixes issue with OAuth param cookie when using self-hosted signin widget

  • #489 Fixes sameSite cookie setting when running on HTTP connection

4.0.1

Bug Fixes

  • #473 Fixes login issue when cookies are blocked or used as shared state storage

4.0.0

Features

  • #413 Adds support for Typescript. Uses named exports instead of default export.
  • #444 New method tokenManager.hasExpired to test if a token is expired

Breaking Changes

  • #444
    • Implements "active" autoRenew. Previously tokens would be renewed or removed when calling tokenManager.get. Now they will be renewed or removed in the background. If autoRenew is true, tokens will be renewed before expiration. If autoRenew is false, tokens will be removed from storage on expiration.
    • onSessionExpired option has been removed. TokenManager events can be used to detect and handle token renewal errors.
    • tokenManager.get no longer implements autoRenew functionality (autoRenew is done by a separate process within TokenManager). Even with autoRenew, it is possible that the token returned from the TokenManager may be expired, since renewal is an asynchronous process. New method tokenManager.hasExpired can be used to test the token and avoid this potential race condition.

3.2.6

  • #522 Fixes token.isLoginRedirect issue with code query params in url
  • #517 Fixes OAuth redirect params issue in legacy browsers

3.2.5

  • #491 Fixes issue with OAuth param cookie when using self-hosted signin widget

  • #489 Fixes sameSite cookie setting when running on HTTP connection

3.2.4

Bug Fixes

  • #473 Fixes login issue when cookies are blocked or used as shared state storage

3.2.3

Bug Fixes

  • #440 Fixes signOut XHR fallback to reload page only if postLogoutRedirectUri matches the current URI
  • #445 Clears access token from storage after token revocation

3.2.2

Bug Fixes

  • #422 Fixes revoke accessToken in signOut method
  • #441 Fixes issue involving an "invalid grant" error: "PKCE verification failed."

3.2.1

Bug Fixes

  • #431 Skips non parsable iframe messages for sdk.fingerprint

3.2.0

Features

-#408 Provides a polyfill for IE 11+

-#410 Add token.isLoginRedirect function to prevent app from starting new Oauth flow while already in OAuth callback state.

3.1.4

Bug Fixes

  • #400 Allows an accessToken to be retrieved without an idToken. Also allows retrieving "default" scopes as defined by the custom authorization server.

  • #402 Fixes tokenManager cookie storage size limitation issue by store tokens in separated cookies.

3.1.3

Bug Fixes

  • #395 Prevents concurrent use of token API methods such as getWithoutPrompt, getWithRedirect or getWithPopup within a single running instance. These methods will be executed within a queue to ensure that they complete sequentially. This fix only affects a single instance. If there are several instances running (for example, in multiple tabs) it is still possible for token API methods to be executing concurrently.

  • #399 Fixes an error involving PKCE flow and the signin widget.

3.1.2

  • #384 Shifts browser storage for ephemeral PKCE code challenge to default to sessionStorage before localStorage or cookies.
    • This should reduce problems with multiple tabs making overlapping requests to renew tokens.
  • #386 Fixes token.verify: validationParams should be optional.

3.1.1

Bug Fixes

  • #369
    • Will reject with error if PKCE is enabled but not supported when OIDC flow is initiated. Previously this check was done in the constructor and affected non-OIDC flows

    • Will print a console warning and disable secure cookies if cookies.secure is enabled on an HTTP connection. Previously this would throw in the constructor.

3.1.0

Features

  • #363
    • Expose server bundle for React Native platform as an Authentication SDK.
    • Handle userAgent customization with newly added userAgent field in config.

3.0.1

Bug Fixes

  • #354 - Omit cookies from API requests. Removes warning messages in latest version of Chrome.

  • #355 - Fix for authorization_code flow for non-SPA applications (when responseType=code and pkce=false). The code can be retrieved client-side using parseFromUrl() without throwing an error.

3.0.0

Features

New option cookies allows overriding default secure and sameSite values.

Breaking Changes

  • #308 - Removed jquery and reqwest httpRequesters

  • #309 - Removed Q library, now using standard Promise. IE11 will require a polyfill for the Promise object. Use of Promise.prototype.finally requires Node > 10.3 for server-side use.

  • #310 - New behavior for signOut()

  • #311 - parseFromUrl() now returns tokens in an object hash (instead of array). The state parameter (passed to authorize request) is also returned.

  • #313 - An HTTPS origin will be enforced unless running on http://localhost or cookies.secure is set to false

  • #316 - Option issuer is required. Option url has been deprecated and is no longer used.

  • #317 - pkce option is now true by default. grantType option is removed.

  • #320 - getWithRedirect, getWithPopup, and getWithoutPrompt previously took 2 sets of option objects as parameters, a set of "oauthOptions" and additional options. These methods now take a single options object which can hold all available options. Passing a second options object will cause an exception to be thrown.

  • #321

    • Default responseType when using implicit flow is now ['token', 'id_token'].
    • When both access token and id token are returned, the id token's at_hash claim will be validated against the access token
  • #325 - Previously, the default responseMode for PKCE was "fragment". It is now "query". Unless explicitly specified using the responseMode option, the response_mode parameter is no longer passed by token.getWithRedirect to the /authorize endpoint. The response_mode will be set by the backend according to the OpenID specification. Implicit flow will use "fragment" and PKCE will use "query". If previous behavior is desired, PKCE can set the responseMode option to "fragment".

  • #329 - Fix internal fetch implementation. responseText will always be a string, regardless of headers or response type. If a JSON object was returned, the object will be returned as responseJSON and responseType will be set to "json". Invalid/malformed JSON server response will no longer throw a raw TypeError but will return a well structured error response which includes the status code returned from the server.

Other

2.13.2

Bug Fixes

-#338 - (Fix for Chrome 80) Setting 'Secure' on cookies if running on HTTPS. Setting 'SameSite=Lax' on cookies if running on HTTP. TokenManager (if using cookie storage) will retain previous behavior, setting 'SameSite=Lax' in all cases unless tokenManager.secure is set to true via config.

2.13.1

Bug Fixes

  • #334 - Setting 'SameSite=none' for all cookies (Fix for iFrame)

2.13.0

Features

  • #324 - Support responseMode: "query" option for SPA apps using PKCE flow

2.12.1

Bug Fixes

  • #315getWellKnown was using base url over issuer. Method has been fixed to use issuer, if configured, and will fallback to base url
  • #319 - Setting 'SameSite=lax' for all cookies (Fix for Firefox/Safari)

2.12.0

Features

  • #304 - Will set a 'SameSite' value on all cookies set by this SDK
    • Cookies intended for server-side use will be set to 'Lax', cookies intended for client-side use will be set to 'Strict'

2.11.2

Features

  • #271 - New option onSessionExpired

2.11.1

Other

  • #293 - Copy markdown files to package directory during publish

2.11.0

Features

  • #288 - New options for signOut:
    • Can provide a post-logout redirect URI.
    • Can revoke access token

Bug Fixes

  • #288 - calling signOut will clear the TokenManager.
  • #284 - isPKCESupported will return false if TextEncoder is not available (IE Edge).

Other

  • #284 - better error messages when attempting to use PKCE in an unsupported browser configuration.

2.10.1

Other

  • Fixes incorrect npm publish of previous version

2.10.0

Features

  • #266 - New storage options for TokenManager

Bug Fixes

  • #265 - Fix for popup blockers

Other

  • #256 - Adds E2E tests, updates test app
  • #249 - Convert to yarn workspace
  • #264 - Removed lib/config.js, replaced with lib/constants.js and webpack define

2.9.0

Features

  • add5369 Add support to pass callback to poll function

Bug Fixes

  • 541683 Origin mismatch will now cause promise rejection (token renew)
  • d9900a TokenManager: return existing promise for concurrent requests
  • 77ece4 Clear token on 'AuthSdkError'

2.7.0

Features

  • (#238) - Adds pass-thru of optional 'loginHint' and 'idpScopes' params (resolves issue #214)

2.6.3

Other

  • (#235) - Option grantType has been deprecated and will be removed in 3.0

2.6.2

Features

Bug Fixes

  • (#233) The default responseMode was incorrectly set to fragment instead of query when the responseType was code. This regression was introduced in version 2.6.0.

  • 747216b fix build process, so that /dist/okta-auth-js.min.js is for browsers (since version 2.2.0, dist/ output was being built for node.js applications, which was not intended)

2.6.1

Features

  • d8d2fee TokenManager: new option expireEarlySeconds

Bug Fixes

  • TokenManager: Re-enables use of custom storage keys

Other

  • TokenManager: Document the maxClockSkew option

2.6.0

Features

Bug Fixes

  • TokenManager: tokens were being expired 5 minutes early

2.5.0

Features

  • d736cc9 - New TokenManager option to support HTTPS-only "secure" cookies.

Other

  • fddec0a - Use fetch as the default request agent (instead of reqwest).

2.3.1

Bug Fixes

  • #187 - When deprecated ajaxRequest was passed to config, the logger for the deprecate message was still using window.console. This fix makes the logger isomorphic.

2.3.0

Features

  • #184 - Adds support for calling the AuthN API from Node

2.2.0

Bug Fixes

  • #178 - Resolves an issue introduced with #171 causing the silent login flow to throw errors

2.1.0

Bug Fixes

  • #172 - Fixes an issue where default storage was read-only
  • #161 - ignoreSignature was not set when redirecting

Other

  • #171 - Scrub null/undefined values from authorize requests
  • #162 - Update dependencies

2.0.1

Bug Fixes

  • Fixed an problem, introduced in 2.0.0, that was causing tokens to be refreshed every time authClient.tokenManager.get('accessToken') was called.

2.0.0

Breaking Changes

  • Token retrieval is now asyncronous to account for automatic token renewal.

    // ES2016+
    const accessToken = await authClient.tokenManager.get('accessToken');
    
    // Handle as a promise
    authClient.tokenManager.get('accessToken')
    .then(function(accessToken) {
      console.log(accessToken);
    });
  • Removed the following deprecated methods:

    • idToken.authorize
    • idToken.verify
    • idToken.refresh
    • idToken.decode

Features

  • Clears whitespace around URLs when instantiating the client.
  • Infer the url from the issuer to simplify client setup.

Other

  • Renames all refresh methods on the token and tokenManager objects to renew.