Repository - API - Source
./polyfill
in package.jsonoptions.step
is availableSyncStorageService
using broadcast-channel
instead of using StorageEvent
. Supports localStorage
and cookie
storage.LeaderElectionService
as separate serviceChannel is closed
while stopping leader electionbroadcast-channel
#1225 oktaAuth.start
/oktaAuth.stop
now return a Promise
, ensures services have started/stopped before resolving
#1226 Fixes idx terminal status response SDK level undefined
error when use GenericRemediator (beta)
#1222 Invalid (or expired) refresh tokens are now removed from storage when invalid token error occurs
relatesTo
type from NextStep
maxAge
param in interaction code flow. This parameter can be passed in from either SDK level options or idx.interact
options.options
field in inputs
scope, and deprecated top level options
from nextStep
field of the response (removal will happen in the next major version).input
type indicator's field name for username
and authenticator
. Before the indicator was named as key
, now it's fixed to type
to follow input metadata with all other inputs.stepUp
on returned IdxTransaction
credentials
objectdynamic import
transpiling issue#1177 - fixes issue with repeated calls to oktaAuth.start()
requestDidSucceed
is returned on IdxTransaction
shouldProceedWithEmailAuthenticator
to disable email authenticator auto-selectionuser
property now optionalkey
propertyauthenticator
can be provided to IDX methods as either a string (representing the authenticator key) or an authenticator objectcredentials
object can be passed to satisfy an "identify" remediation instead of username
and password
idx.proceed
will continue without saved transaction meta if a stateHandle
is availablerequestDidSucceed
which will be false if the XHR was returned with a non-2xx HTTP statustransformAuthState
. Concurrent auth state updates will now enqueue calls to transformAuthState
so that they execute sequentiallystep
option in IDX flows: it will only be used for a single remediation cycleSigninWithCredentialsOptions
and SignInOptions
to support SP Initiated Auth
authenticator-verification-data
remediationimport
syntaxstate
now stored in session during verifyEmail flowautoRenew
(active vs passive)isAuthenticated
to override client configurationisAuthenticated
, tokens are now read from tokenManager
(not memory) before expiration is checkedwebauthn
authenticator support in idx moduleinvokeApiMethod
method as an escape hatch to make arbitrary OKTA API requestX-Forwarded-For
, User-Agent
, X-Okta-User-Agent-Extended
and X-Device-Token
) to idx.interact
. Follow setHeaders section to add headers to http requests.Input
type in NextStep objectSigninOptions.context
typeupdateAuthState
when handleLoginRedirect
failscross-fetch
to resolve security vulnerabilityUserClaims<{ groups: string[]; }>
userAgent
field from oktaAuth instanceuseMultipleCookies
from CookieStorage optionsclearTokensAfterRedirect
clearTokensBeforeRedirect
(default: false
) to remove local tokens before logout redirect happenintrospect
is renamed to introspectAuthn
(still callable as tx.introspect
)IdxFeature
enum is now defined as strings instead of numbersrecoveryToken
and activationToken
otp
to idx pipelineexchangeCodeForTokens
. If false, interactionCode
will be returned on the transaction at the end of the flow instead of tokens
.autoRemediate
. If false, there will be no attempt to satisfy remediations even if values have been passed.saveLastResponse
. If false, IDX responses will not be cached.useInteractionCodeFlow
defaults to true
for sample and test apps.getPreviousAuthState
method to AuthStateManager
Google Authenticator
support in idx moduleAuthState
interfaceparseFromUrl
if can't load transaction metaauthStateManager.updateAuthState
during login redirect in start
method.MFA_REQUIRED
statusisAuthenticated
state during active token auto renew by only checking existence of both tokens from storageidx.recoverPassword
- checks if flow is supported@okta/okta-idx-js
missing core-js dependency.SDK_VERSION
placeholder issuetsd
from dependencies to devDependencies@okta/okta-idx-js
to 0.18.0 (replaced jsonpath
with jsonpath-plus
)updateAuthState
returns a Promise.idx
module. See details in IDX README.mdhandleLoginRedirect
where a redirect could occur after an exception was thrown.cookies.sessionCookie
optionstart
and stop
are added to control OktaAuth
as a service.token.value
fieldtokenManager.expireEarlySeconds
option with the default value (30s) for non-dev environmentoriginalUri
is null.isPending
from AuthState
handleLoginRedirect
where a redirect could occur after an exception was thrown.StorageManagerOptions
fetch
on IE Edge versions 14-17.catch
when using refresh tokentoken.prepareTokenParams
token.exchangeCodeForTokens
pkce.generateVerifier
pkce.computeChallenge
and constant:pkce.DEFAULT_CODE_CHALLENGE_METHOD
This API allows more control over the PKCE
authorization flow and is enabled for both browser and nodeJS.claims
to AccessToken
scopes
configuration option now handles 'offline_access' as an option, which will use refresh tokens IF your client app is configured to do so in the Okta settingsscopes
and wishing to add 'offline_access' should pass scopes: ['openid', 'email', 'offline_access']
to their constructorrenewTokens()
will now use an XHR call to replace tokens if the app has a refresh token. This does not rely on "3rd party cookies"autoRenew
option (defaults to true
) already calls renewTokens()
shortly before tokens expire. The autoRenew
feature will now automatically make use of the refresh token if presentsignOut()
now revokes the refresh token (if present) by default, which in turn will revoke all tokens minted with that refresh tokensignOut()
follow the existing revokeAccessToken
parameter - when true
(the default) any refreshToken will be also be revoked, and when false
, any tokens are not explicitly revoked. This parameter name becomes slightly misleading (as it controls both access AND refresh token revocation) and will change in a future version.VerifyRecoveryTokenOptions
scopes
that are set in the constructorAuthStateManager
to evaluate and emit latest authState. Exposes new methods from AuthStateManager
:authStateManager.getAuthState
authStateManager.updateAuthState
authStateManager.subscribe
authStateManager.unsubscribe
sdk.signInWithCredentials
sdk.signInWithRedirect
sdk.isAuthenticated
sdk.getUser
sdk.getIdToken
sdk.getAccessToken
sdk.storeTokensFromRedirect
sdk.setOriginalUri
sdk.getOriginalUri
sdk.removeOriginalUri
sdk.isLoginRedirect
sdk.handleLoginRedirect
sdk.signIn
sdk.tokenManager
:tokenManager.getTokens
tokenManager.setTokens
transformAuthState
restoreOriginalUri
autoRemove
devMode
AuthState
.hasResponseType
, isPKCE
, isAuthorizationCodeFlow
. The option responseType
is now accepted in the constructor.tokenManager.hasExpired
to test if a token is expiredtokenManager.get
. Now they will be renewed or removed in the background. If autoRenew is true, tokens will be renewed before expiration. If autoRenew is false, tokens will be removed from storage on expiration.onSessionExpired
option has been removed. TokenManager events can be used to detect and handle token renewal errors.tokenManager.get
no longer implements autoRenew functionality (autoRenew is done by a separate process within TokenManager
). Even with autoRenew
, it is possible that the token returned from the TokenManager may be expired, since renewal is an asynchronous process. New method tokenManager.hasExpired
can be used to test the token and avoid this potential race condition.sdk.fingerprint
#395 Prevents concurrent use of token API methods such as getWithoutPrompt
, getWithRedirect
or getWithPopup
within a single running instance. These methods will be executed within a queue to ensure that they complete sequentially. This fix only affects a single instance. If there are several instances running (for example, in multiple tabs) it is still possible for token API methods to be executing concurrently.
#399 Fixes an error involving PKCE flow and the signin widget.
Will reject with error if PKCE is enabled but not supported when OIDC flow is initiated. Previously this check was done in the constructor and affected non-OIDC flows
Will print a console warning and disable secure cookies if cookies.secure is enabled on an HTTP connection. Previously this would throw in the constructor.
New option cookies
allows overriding default secure
and sameSite
values.
#308 - Removed jquery
and reqwest
httpRequesters
#309 - Removed Q
library, now using standard Promise. IE11 will require a polyfill for the Promise
object. Use of Promise.prototype.finally
requires Node > 10.3 for server-side use.
#310 - New behavior for signOut()
postLogoutRedirectUri
will default to window.location.origin
#311 - parseFromUrl() now returns tokens in an object hash (instead of array). The state
parameter (passed to authorize request) is also returned.
#313 - An HTTPS origin will be enforced unless running on http://localhost
or cookies.secure
is set to false
#316 - Option issuer
is required. Option url
has been deprecated and is no longer used.
#317 - pkce
option is now true
by default. grantType
option is removed.
#320 - getWithRedirect
, getWithPopup
, and getWithoutPrompt
previously took 2 sets of option objects as parameters, a set of "oauthOptions" and additional options. These methods now take a single options object which can hold all available options. Passing a second options object will cause an exception to be thrown.
['token', 'id_token']
.at_hash
claim will be validated against the access token#325 - Previously, the default responseMode
for PKCE was "fragment"
. It is now "query"
. Unless explicitly specified using the responseMode
option, the response_mode
parameter is no longer passed by token.getWithRedirect
to the /authorize
endpoint. The response_mode
will be set by the backend according to the OpenID specification. Implicit flow will use "fragment"
and PKCE will use "query"
. If previous behavior is desired, PKCE can set the responseMode
option to "fragment"
.
#329 - Fix internal fetch implementation. responseText
will always be a string, regardless of headers or response type. If a JSON object was returned, the object will be returned as responseJSON
and responseType
will be set to "json". Invalid/malformed JSON server response will no longer throw a raw TypeError but will return a well structured error response which includes the status
code returned from the server.
#306 - Now using babel for ES5 compatibility. All polyfills have been removed.
#312 - Added an E2E test for server-side authentication (node module, not webpack).
-#338 - (Fix for Chrome 80) Setting 'Secure' on cookies if running on HTTPS. Setting 'SameSite=Lax' on cookies if running on HTTP. TokenManager (if using cookie storage) will retain previous behavior, setting 'SameSite=Lax' in all cases unless tokenManager.secure
is set to true
via config.
responseMode: "query"
option for SPA apps using PKCE flowonSessionExpired
signOut
:signOut
will clear the TokenManager.isPKCESupported
will return false if TextEncoder
is not available (IE Edge).grantType
has been deprecated and will be removed in 3.0pkce
(#233) The default responseMode
was incorrectly set to fragment
instead of query
when the responseType
was code
. This regression was introduced in version 2.6.0
.
747216b fix build process, so that /dist/okta-auth-js.min.js is for browsers (since version 2.2.0, dist/ output was being built for node.js applications, which was not intended)
expireEarlySeconds
maxClockSkew
optionajaxRequest
was passed to config, the logger for the deprecate message was still using window.console. This fix makes the logger isomorphic.authClient.tokenManager.get('accessToken')
was called.Token retrieval is now asyncronous to account for automatic token renewal.
// ES2016+
const accessToken = await authClient.tokenManager.get('accessToken');
// Handle as a promise
authClient.tokenManager.get('accessToken')
.then(function(accessToken) {
console.log(accessToken);
});
Removed the following deprecated methods:
idToken.authorize
idToken.verify
idToken.refresh
idToken.decode
url
from the issuer
to simplify client setup.refresh
methods on the token
and tokenManager
objects to renew
.