v1.8.2

Fixed

• [SDK-1640] Allow the client to be constructed in a Node SSR environment #471 (adamjmcgrath)
• [SDK-1634] Pass custom options to the token endpoint #465 (stevehobbsdev)
• [SDK-1649] Fix issue where cache was missed when scope parameter was provided #461 (adamjmcgrath)

v1.8.1

Fixed

• Fix issue with create-react-app webpack build #451 (adamjmcgrath)

v1.8.0

This version fixes a problem using the SDK within a Gatsby site, which would fail a build with a "Blob is not defined" error, as well as introducing the ability to specify custom default scopes.

Custom default scopes

Usage:

await createAuth0Client({
  domain: 'your-domain.auth0.com',
  client_id: 'some-client-id-xyz',
  advancedOptions: {
    defaultScope: 'email'
  }
}

Full changelog

Added

• [SDK-1417] Customizable default scopes #435 (stevehobbsdev)
• include polyfill for Set #426 (tony-aq)

Fixed

• Update rollup-plugin-web-worker-loader to 1.1.1 #443 (stevehobbsdev)
• Updated login_hint js docs to clarify usage with Lock #441 (stevehobbsdev)

v1.7.0

Highlights

This release introduces a number of new features; two of these are detailed below:

Rotating Refresh Tokens

This feature adds support for rotating Refresh Tokens, which can be used to mitigate the effects of modern browser privacy tools, such as Safari's ITP technology. Refresh tokens do not depend on the user's session cookie and thus are unaffected by third-party cookie blocking.

To turn on the use of Refresh Tokens in the SDK, use the useRefreshTokens option when configuring the SDK client:

await createAuth0Client({
  domain: '<YOUR AUTH0 DOMAIN>',
  client_id: '<YOUR AUTH0 CLIENT ID>',
  useRefreshTokens: true    // the default is 'false'
})

Local Storage

From this release, you will be able to opt-in to using local storage to store the tokens that are returned from the authorization server. The default is to use the in-memory cache.

Note: Enabling local storage changes the security characteristics of your application; please read and understand the implications of enabling use of local storage to store tokens.

To do this, configure the cacheLocation to localstorage when configuring the SDK client:

await createAuth0Client({
  domain: '<YOUR AUTH0 DOMAIN>',
  client_id: '<YOUR AUTH0 CLIENT ID>',
  cacheLocation: 'localstorage'
})

The full changelog is below.

Added

• Support for rotating refresh tokens #315 (stevehobbsdev)
• Export types from global TypeScript file. #310 (maxswa)
• Local Storage caching mechanism #303 (stevehobbsdev)

Changed

• Use Web Workers for token endpoint call for in-memory storage #409 (adamjmcgrath)
• Export constructor #385 (adamjmcgrath)
• Fall back to iframe method if no refresh token is available #364 (stevehobbsdev)
• Removed setTimeout cache removal in favour of removal-on-read #354 (stevehobbsdev)
• Stop checking isAuthenticated cookie on initialization when using local storage #352 (stevehobbsdev)
• getTokenSilently retry logic #336 (stevehobbsdev)
• Fixed issue with cache not retaining refresh token #333 (stevehobbsdev)

Fixed

• Check if source of event exists before closing it #410 (gerritdeperrit)
• Check if iframe is still in body before removing #399 (paulfalgout)
• Fix typings to allow custom claims in ID token #386 (picosam)
• Fix error in library type definitions #367 (devoto13)

Security

• Dependency upgrade #405 (stevehobbsdev)

v1.7.0-beta.5

Changed

• [SDK-1379] Export constructor #385 (adamjmcgrath)

v1.6.5

Changed

• [SDK-1395] Refactor loginWithPopup to optionally accept an existing popup window #368 (stevehobbsdev)
• handleRedirectCallback wont pass redirect_uri undefined if not set in transaction #374 (albertlockett)
• Update dependencies within semver ranges #371 (stevehobbsdev)
• [SDK-1099] Add localOnly logout option #362 (adamjmcgrath)
• center popup over owner window #356 (ggascoigne)

Fixed

• [SDK-1127] Delay removal of iframe to prevent Chrome hanging status bug #240 #376 (adamjmcgrath)
• [SDK-1125] createAuth0Client now throws errors that are not login_required #369 (stevehobbsdev)

v1.7.0-beta.4

Changed

• [SDK-1386] Fall back to iframe method if no refresh token is available #364 (stevehobbsdev)

Fixed

• Fix error in library type definitions #367 (devoto13)

v1.7.0-beta.3

Added

• Export types from global TypeScript file. #310 (maxswa)

Changed

• [SDK-1352] Removed setTimeout cache removal in favour of removal-on-read #354 (stevehobbsdev)
• [SDK-1352] Stop checking isAuthenticated cookie on initialization when using local storage #352 (stevehobbsdev)
• [SDK-1279] getTokenSilently retry logic #336 (stevehobbsdev)

v1.6.4

• [SDK-1308] Return appState value on error from handleRedirectCallback #348 (stevehobbsdev)
• Configurable timeout for getTokenSilently() #347 (Serjlee)

v1.6.3

Fixed

• Send same redirect_uri as /authorize to /token #341 (stevehobbsdev)
• No longer acquires a browser lock if there was a hit on the cache #339 (stevehobbsdev)
• Use user provided params on silent login #318 (nkete)