@okta/[email protected]

Bug Fixes

• #384 Shifts browser storage for ephemeral PKCE code challenge to default to sessionStorage before localStorage or cookies.

  • This should reduce problems with multiple tabs making overlapping requests to renew tokens.

• #386 Fixes token.verify: validationParams should be optional.

@okta/[email protected]

Bug Fixes

• #369

  • Will reject with error if PKCE is enabled but not supported when OIDC flow is initiated. Previously this check was done in the constructor and affected non-OIDC flows

  • Will print a console warning and disable secure cookies if cookies.secure is enabled on an HTTP connection. Previously this would throw in the constructor.

@okta/[email protected]

Features

• #363
  • Expose server bundle for React Native platform as an Authentication SDK.
  • Handle userAgent customization with newly added userAgent field in config.

@okta/[email protected]

Bug Fixes

• #354 - Omit cookies from API requests. Removes warning messages in latest version of Chrome.

• #355 - Fix for authorization_code flow for non-SPA applications (when responseType: 'code' and pkce: 'false'). The code can be retrieved client-side using parseFromUrl() without throwing an error.

@okta/[email protected]

Features

New option cookies allows overriding default secure and sameSite values.

Breaking Changes

• #308 - Removed jquery and reqwest httpRequesters

• #309 - Removed Q library, now using standard Promise. IE11 will require a polyfill for the Promise object. Use of Promise.prototype.finally requires Node > 10.3 for server-side use.

• #310 - New behavior for signOut()

  • postLogoutRedirectUri will default to window.location.origin
  • signOut() will revoke access token and perform redirect by default. Fallback to XHR closeSession() if no idToken.
  • New method closeSession() for XHR signout without redirect or reload.
  • New method revokeAccessToken()

• #311 - parseFromUrl() now returns tokens in an object hash (instead of array). The state parameter (passed to authorize request) is also returned.

• #313 - An HTTPS origin will be enforced unless running on http://localhost or cookies.secure is set to false

• #316 - Option issuer is required. Option url has been deprecated and is no longer used.

• #317 - pkce option is now true by default. grantType option is removed.

• #320 - getWithRedirect, getWithPopup, and getWithoutPrompt previously took 2 sets of option objects as parameters, a set of "oauthOptions" and additional options. These methods now take a single options object which can hold all available options. Passing a second options object will cause an exception to be thrown.

• #321

  • Default responseType when using implicit flow is now ['token', 'id_token'].
  • When both access token and id token are returned, the id token's at_hash claim will be validated against the access token

• #325 - Previously, the default responseMode for PKCE was "fragment". It is now "query". Unless explicitly specified using the responseMode option, the response_mode parameter is no longer passed by token.getWithRedirect to the /authorize endpoint. The response_mode will be set by the backend according to the OpenID specification. Implicit flow will use "fragment" and PKCE will use "query". If previous behavior is desired, PKCE can set the responseMode option to "fragment".

• #329 - Fix internal fetch implementation. responseText will always be a string, regardless of headers or response type. If a JSON object was returned, the object will be returned as responseJSON and responseType will be set to "json". Invalid/malformed JSON server response will no longer throw a raw TypeError but will return a well structured error response which includes the status code returned from the server.

Other

• #306 - Now using babel for ES5 compatibility. All polyfills have been removed.

• #312 - Added an E2E test for server-side authentication (node module, not webpack).

@okta/[email protected]

Bug Fixes

-#338 - (Fix for Chrome 80) Setting 'Secure' on cookies if running on HTTPS. Setting 'SameSite=Lax' on cookies if running on HTTP. TokenManager (if using cookie storage) will retain previous behavior, setting 'SameSite=Lax' in all cases unless tokenManager.secure is set to true via config.

@okta/[email protected]

Bug Fixes

• #334 - Setting 'SameSite=none' for all cookies (Fix for iFrame)

2.13.0

Features

• #324 - Support responseMode: "query" option for SPA apps using PKCE flow

2.12.1

Bug Fixes

• #315getWellKnown was using base url over issuer. Method has been fixed to use issuer, if configured, and will fallback to base url
• #319 - Setting 'SameSite=lax' for all cookies (Fix for Firefox/Safari)

2.12.0

Features

• #304 - Will set a 'SameSite' value on all cookies set by this SDK
  • Cookies intended for server-side use will be set to 'Lax', cookies intended for client-side use will be set to 'Strict'