v9.8.1 (2018-10-23)
Fixed
- Fixed transaction state not being set to expire in 30 minutes #835 (sayuti-daniel)
- Fix incorrect error wrapping for signup/change password errors #829 (luisrudge)
v9.8.0 (2018-09-26)
Released
v9.7.4-beta1 (2018-08-28)
Changed
v9.7.3 (2018-07-23)
Fixed
v9.7.3-beta1 (2018-07-18)
Fixed
- Fix npm module export #808 (luisrudge)
- We're testing the new module export to make sure we restore the previous behavior before committing to a patch fix
v9.7.2 (2018-07-13)
Fixed
v9.7.1 (2018-07-13)
Fixed
v9.7.0 (2018-07-12)
Added
Fixed
- options is optional in WebAuth.prototype.authorize #789 (behrangsa)
- Removing
domainoption from methods (it can't be overridden) #781 (luisrudge)
v9.6.1 (2018-06-07)
Fixed
v9.6.0 (2018-05-28)
Changed
Fixed
v9.5.1 (2018-04-28)
Fixed
v9.5.0 (2018-04-24)
Added
- Add transaction manager to passwordlessLogin and login #731 (luisrudge)
- Add error message when there is no access_token and id_token is HS256 #727 (luisrudge)
Fixed
- Fix storing values when DOM storage is not available #737 (luisrudge)
- getSSOData should call /ssodata from the ULP #733 (luisrudge)
- Return /userinfo error inside the token validation callback #724 (luisrudge)
v9.4.2 (2018-03-28)
Added
v9.4.1 (2018-03-22)
Fixed
v9.4.0 (2018-03-22)
Added
v9.3.4 (2018-03-21)
Added
v9.3.3 (2018-03-09)
Added
Fixed
- Use CookieStorage when accessing localStorage throws an error #698 (luisrudge)
- Remove
emailparam in cross auth login #692 (luisrudge) - Add audience:/userinfo to getSSOData checkSession call #688 (luisrudge)
v9.3.2 (2018-03-02)
Fixed
v9.3.1 (2018-02-28)
v9.3.0 (2018-02-22)
Fixed
- Fix CSRF vulnerability when
hash.stateis empty. Please read more about it here and here. #673 (luisrudge) - Use WinChan on popup.callback again + adding origin check to keep it secure #669 (luisrudge)
- Fixed error handling for auth in popup mode #668 (luisrudge)
- Fix inconsistent cross origin error handling #667 (luisrudge)
v9.2.3 (2018-02-14)
Changed
Fixed
v9.2.2 (2018-02-08)
Fixed
v9.2.1 (2018-02-05)
Fixed
v9.2.0 (2018-02-01)
Added
- Normalized login and passwordlessLogin usage to make it work in embedded and hosted scenarios #646 (luisrudge)
v9.1.3 (2018-01-29)
Fixed
v9.1.2 (2018-01-26)
Fixed
v9.1.1 (2018-01-24)
Fixed
v9.1.0 (2018-01-16)
Changed
v9.0.3 (2018-01-15)
Fixed
- Use window.location.origin instead of window.origin #627 (thoean)
- Do not consider a load event valid if protocol is "about:" #619 (damien-gl)
v9.0.2 (2017-12-29)
Fixed
v9.0.1 (2017-12-26)
Changed
v9.0.0 (2017-12-21)
Breaking change
Auth0.js v9 uses our latest embedded login API. This version removes API calls to usernamepassword/login and user/ssodata and is not supported in centralized login scenarios (i.e. Hosted Login Pages). If you are using a Hosted Login Page, keep using Auth0.js v8.
The scenarios below use a mix of Cross Origin Authentication and WebAuth.checkSession. Read more about Cross Origin Authentication and how to enable Web Origins here.
We wrote a Migration Guide to make upgrading your app easy. If you need help, please reach out to our amazing support team at https://support.auth0.com.
Breaking change
WebAuth.client.getSSOData now uses WebAuth.checkSession and a local cache to obtain the resulting data.
Breaking change
WebAuth.client.loginWithCredentials now uses Cross Origin Authentication to handle authentication requests.
Breaking change
WebAuth.client.signupAndLogin now uses Cross Origin Authentication to handle the authentication request after the signup.
Breaking change
WebAuth.popup.loginWithCredentials now uses Cross Origin Authentication and WebAuth.checkSession to handle authentication requests without making a page redirect.
v8.10.1 (2017-09-19)
Changed
v8.10.0 (2017-09-18)
Added
Fixed
- Fixing tenant override in popup mode #501 (luisrudge)
- Allow overriding the timeout as part of the renewAuth method #497 (dctoon)
v8.9.3 (2017-08-21)
Fixed
v8.9.2 (2017-08-17)
Fixed
v8.9.1 (2017-08-11)
Fixed
v8.9.0 (2017-08-10)
Added
- Add flag to retry requests #484 (luisrudge)
- Add cross-origin-auth support to Passwordless #482 (luisrudge)
Changed
Fixed
v8.8.0 (2017-06-20)
Changed
Fixed
v8.7.0 (2017-05-24)
Added
- Adding
scopeto the parsed hash object #434 (luisrudge) - Add option to filter iframe events to prevent incorrect events triggering callbacks #432 (aaronchilcott)
- Adding cross-origin-auth sessionless flow #431 (luisrudge)
- Adding new LoginTicket flow (with session) #426 (hzalaz)
Changed
- Sending all /co/authenticate errors to the error callback #443 (luisrudge)
- Fix some examples and docs + using https everywhere #436 (luisrudge)
Fixed
- Add login_ticket to params whitelist #442 (luisrudge)
- Fix decoding base64 string with special characters #440 (luisrudge)
- Fixed issues with overrides not being used #430 (sandrinodimattia)
v8.6.1 (2017-05-08)
Fixed
v8.6.0 (2017-04-24)
Fixed
v8.5.0 (2017-03-27)
Changed
Fixed
- Fixing error handling for when the error comes as a successful response from WinChan #395 (luisrudge)
- Correct spelling mistake in web-auth JSDoc resulting in incorrect autocomplete suggestions #388 (Geeman201)
v8.4.0 (2017-03-13)
Full Changelog Closed issues
- winchanOptions missing parameters #378
- 'Nonce does not match' error when state data contains '=' encoded as %3D #377
Added
Changed
- Whitelist resource owner parameters #386 (hzalaz)
- Only allow to be used in node 6.9 or later #385 (hzalaz)
- Restrict what popupOptions fields are used #383 (hzalaz)
- Replace querystring implementation with qs module #382 (selaux)
- Deprecation warning: webauth.login → webauth.authorize #367 (dtinth)
Fixed
v8.3.0 (2017-03-01)
Added
- Integration tests #346 (glena)
- Whitelist nonce, state, _csrf and _instate from constructor #345 (glena)
- Added flag to disable id_token verification for legacy Auth0 Applications #341 (glena)
- Popup no owp #337 (glena)
Changed
- Remove warnings around refreshing session #353 (hzalaz)
- Updated passwordless start jsdocs #340 (glena)
Fixed
v8.2.0 (2017-01-30)
Added
Fixed
v8.1.3 (2017-01-23)
Fixed
v8.1.2 (2017-01-19)
Fixed
v8.1.1 (2017-01-17)
Changed
Removed
Fixed
v8.1.0 (2017-01-17)
Added
Fixed
- Fix passwordless #315 (glena)
- Passwordless start: map params to authParams and fix tests #306 (glena)
- Fix transaction usage to delete what is stored in local storage #298 (glena)
Breaking changes
v8.0.4 (2017-01-06)
Fixed
v8.0.3 (2017-01-06)
Added
v8.0.2 (2017-01-05)
Fixed
v8.0.1 (2017-01-04)
Fixed
v8.0.0 (2017-01-03)
In v8 auth0.js is divided in three different components:
- WebAuth: Handles all AuthN/AuthZ flows with redirect/popup inside the browser and related Auth API endpoints, e.g.
/logout. - AuthenticationAPI: Helper methods for calling Auth0 Authentication API
- ManagementAPI: Helper methods for calling Auth0 Management API
To get started you can just create a WebAuth instance like this
var auth0 = new auth0.WebAuth({
domain: "{YOUR_AUTH0_DOMAIN}",
clientID: "{YOUR_AUTH0_CLIENT_ID}"
});Since auth0.js is intended to be used in javascript clients running in the browser most of the times an instance of
WebAuthis needed.
And if you ever need to perform an xhr request to Auth0 Authentication API, WebAuth exposes an instance of AuthenticationAPI
auth0.client.userInfo(accessToken, function(error, userInfo) {
// User information or error
});Added
- add token validation and signature verification to the parseHash method #278 (glena)
- Add method to signup and login using password-realm #277 (glena)
Breaking changes
v8.0.0-beta.3 (2016-12-19)
Fixed
v8.0.0-beta.2 (2016-12-16)
Added
Fixed
v8.0.0-beta.1 (2016-12-14)
Added
- Add get user country method for passwordless #267 (glena)
- Login with password realm grant via /oauth/token #265 (glena)
Changed
- Add standard fields to parseHash and normalize responses to camelCase #261 (glena)
- Add Whitelist of authorize parameters #258 (glena)
Fixed
v8.0.0-alpha.2 (2016-12-05)
Closed issues
- redirectUri should not be mandatory in the constructor #249
- responseMode should be part of the constructor params #247
- Check if all the methods accepts the same parames from constructor #246
Added
- Preload window for popup signup and login #256 (glena)
- Quirks mode and deprecations warning #255 (glena)
- Added responseMode, all methods uses the same params from construct, redirectUri is not mandatory #253 (glena)
- Added sso data client #251 (glena)
- V8 Popup mode #245 (glena)
- Added nonce and status to mitigate replay attacks #244 (glena)
Changed
v8.0.0-alpha.1 (2016-11-21)
Added