v9.28.0 (2024-10-21)
Fixed
- Ensure done callback is correctly fired on captcha reload #1469 (srijonsaha)
v9.27.0 (2024-09-27)
Added
Changed
- Update codeowner file with new GitHub team name #1452 (stevenwong-okta)
v9.26.1 (2024-05-20)
Fixed
- Call done callback once Arkose is ready #1433 (srijonsaha)
v9.26.0 (2024-04-30)
Changed
- Update endpoint and add API to get password reset challenge #1431 (srijonsaha)
Note: PR #1431 is a breaking change for a newly-added, WIP, undocumented feature.
v9.25.0 (2024-04-25)
Added
- Add APIs to get captcha challenge for reset password #1426 (srijonsaha)
v9.24.1 (2024-01-04)
Changed
- [IAMRISK-3011] Auth0 V2 Captcha failOpen support #1382 (alexkoumarianos-okta)
v9.24.0 (2023-12-13)
Added
- [IAMRISK-2915] Added support for Auth0 v2 captcha provider #1368 (alexkoumarianos-okta)
v9.23.3 (2023-11-13)
Security
v9.23.2 (2023-10-27)
Security
- Bump crypto-js from 4.1.1 to 4.2.0 #1354 (dependabot[bot])
v9.23.1 (2023-10-19)
Changed
- [IAMRISK-2817] Update API for Arkose to use a callback based API #1349 (srijonsaha)
v9.23.0 (2023-10-06)
Added
- [IAMRISK-2602] Add support for Arkose #1341 (srijonsaha)
v9.22.1 (2023-07-18)
Changed
- Do not lowercase org_name claim #1315 (frederikprijck)
v9.22.0 (2023-07-13)
Added
- Added support for hCaptcha and Friendly Captcha #1312 (DominickBattistini)
- Support Organization Name #1313 (frederikprijck)
Security
v9.21.0 (2023-05-24)
Added
- Add cookieDomain option #1304 (telmaantunes)
v9.20.2 (2023-02-28)
Fixed
Security
- chore: update superagent to 7.1.5 #1296 (stevehobbsdev)
v9.20.1 (2023-01-12)
Fixed
- Updated jsdocs for Authentication#login #1284 (siddtheone)
Security
- Bump jsonwebtoken from 8.5.1 to 9.0.0 #1282 (dependabot[bot])
v9.20.0 (2022-12-13)
Added
- Support Captcha challenge for passwordless login #1277 (DominickBattistini)
v9.19.2 (2022-11-04)
Changed
- Regenerate API docs using new readme #1271 (frederikprijck)
- Update readme based on the internal redesign #1269 (frederikprijck)
Fixed
- support timeout option in Popup.loginWithCredentials #1273 (stevehobbsdev)
v9.19.1 (2022-09-09)
Changed
- Clean up old/missing library migration links #1256 (stevehobbsdev)
- Clarify usage of legacySameSiteCookie in readme #1255 (stevehobbsdev)
Security
v9.19.0 (2022-01-25)
Added
- Add compatibility cookie for SameSite, with option to turn it off #1232 (stevehobbsdev)
v9.18.1 (2022-01-14)
Fixed
- Set sameSite to 'none' for cookies when using HTTPS #1229 (stevehobbsdev)
v9.18.0 (2021-11-09)
Added
Added
- Add
xRequestLanguage, which sends X-Request-Language header to/passwordless/start#1210 (stevehobbsdev)
Fixed
v9.16.4 (2021-08-26)
Fixed
v9.16.3 (2021-08-24)
Security
- Dependency updates #1200 (stevehobbsdev)
Fixed
- Add check around accessing event.data in web-message-handler #1195 (stevehobbsdev)
v9.16.2 (2021-05-26)
Security
- Update idtoken-verifier to 2.1.2 #1182 (stevehobbsdev)
v9.16.1 (2021-05-25)
Security
- Bump idtoken-verifier and run npm audit fix #1179 (frederikprijck)
v9.16.0 (2021-04-26)
Added
- Add Recaptcha Enterprise support #1169 (akmjenkins)
Fixed
Security
- [Security] Bump y18n from 4.0.0 to 4.0.1 #1162 (dependabot-preview[bot])
v9.15.0 (2021-03-19)
Added
- [SDK-2391] Organizations support #1159 (stevehobbsdev)
- [SDK-2273] Add onRedirecting login hook #1157 (stevehobbsdev)
Changed
- Apply secure flag to cookies when running on https protocol #1158 (stevehobbsdev)
v9.14.3 (2021-01-26)
Changed
v9.14.2 (2021-01-14)
v9.14.2 is a maintenance release to fix a faulty NPM package - there are no additional changes from 9.14.1.
v9.14.1 (2021-01-14)
Changed
- Allow domain to contain http scheme #1144 (danmastrowcoles)
v9.14.0 (2020-09-11)
Added
- [CAUTH-551] add render captcha method #1126 (jfromaniello)
Fixed
- [SDK-1812] Inclusive language updates #1125 (stevehobbsdev)
- Update superagent dependency to 5.3.1 to get around babel bug #1120 (paviad)
Security
- Dependencies and NPM lock file #1130 (stevehobbsdev)
v9.13.4 (2020-07-02)
Changed
- [CAUTH-423] Add login state if available to the sign-up request #1117 (jfromaniello)
v9.13.3 (2020-06-26)
Changed
- Bump idtoken-verifier to 2.0.3 #1113 (stevehobbsdev)
Fixed
- Fix IE default redirect url #1108 (vincentdesmares)
- Document that checkSession requires a callback #1103 (civility-bot)
v9.13.2 (2020-04-09)
Fixed
Security
- Fixed information disclosure through error object commit (stevehobbsdev)
- Bump minimist from 1.2.0 to 1.2.5 #1098 (dependabot[bot])
- Dependency updates for security advisories #1097 (stevehobbsdev)
v9.13.1 (2020-04-01)
Fixed
Security
- Update idtoken-verifier dependency #1091 (lbalmaceda)
v9.13.0 (2020-03-27)
Added
- [SDK-1405] Added support for new generic error codes and details #1084 (stevehobbsdev)
- Fix unit tests by stubbing RSA verification #1085 (stevehobbsdev)
- Updated JS docs for
user_metadata#1088 (stevehobbsdev)
v9.12.2 (2020-01-14)
Changed
- [SDK-1266] Bumped idtoken-verifier to latest patch #1073 (stevehobbsdev)
Security
- [Security] Bump handlebars from 4.1.2 to 4.5.3 #1068 (dependabot-preview[bot])
v9.12.1 (2019-12-17)
Fixed
- Set the default token validation leeway to 60 sec #1062 (stevehobbsdev)
v9.12.0 (2019-12-11)
Added
- [CAUTH-239] Add getChallenge method #1057 (jfromaniello)
Fixed
- Fixed passwordless params priority #1058 (stevehobbsdev)
- Bugfix for WebExtension #1054 (STK913)
- Readme develop #1043 (jsoref)
- Fixed typo #1039 (Nyholm)
Security
- [SDK-974] Improved OIDC compliance #1059 (stevehobbsdev)
v9.11.3 (2019-07-23)
Fixed
Use cdn-uploader from NPM.
v9.11.2 (2019-07-15)
Fixed
v9.11.1 (2019-06-27)
Fixed
v9.11.0 (2019-06-25)
Added
Changed
Fixed
v9.10.4 (2019-05-24)
Fixed
v9.10.3 (2019-05-22)
v9.10.2 (2019-04-15)
Changed
v9.10.1 (2019-03-18)
Fixed
- Throw nonce error when using HS256 id_tokens #913 (luisrudge)
- Fix different id_token payload casing between authorize and popup.authorize #911 (luisrudge)
v9.10.0 (2019-01-28)
Changed
- Trim
username,emailandphoneNumberparams in every request #895 (ScottRudiger)
v9.9.1 (2019-01-23)
Fixed
v9.9.0 (2019-01-10)
Fixed
v9.8.2 (2018-11-13)
Fixed
- Prevent checkSession to be called without a redirect_uri #851 (ojas360)
- Parse file protocol from Url #846 (anion155)
v9.8.1 (2018-10-23)
Fixed
- Fixed transaction state not being set to expire in 30 minutes #835 (sayuti-daniel)
- Fix incorrect error wrapping for signup/change password errors #829 (luisrudge)
v9.8.0 (2018-09-26)
Released
v9.7.4-beta1 (2018-08-28)
Changed
v9.7.3 (2018-07-23)
Fixed
v9.7.3-beta1 (2018-07-18)
Fixed
- Fix npm module export #808 (luisrudge)
- We're testing the new module export to make sure we restore the previous behavior before committing to a patch fix
v9.7.2 (2018-07-13)
Fixed
v9.7.1 (2018-07-13)
Fixed
v9.7.0 (2018-07-12)
Added
Fixed
- options is optional in WebAuth.prototype.authorize #789 (behrangsa)
- Removing
domainoption from methods (it can't be overridden) #781 (luisrudge)
v9.6.1 (2018-06-07)
Fixed
v9.6.0 (2018-05-28)
Changed
Fixed
v9.5.1 (2018-04-28)
Fixed
v9.5.0 (2018-04-24)
Added
- Add transaction manager to passwordlessLogin and login #731 (luisrudge)
- Add error message when there is no access_token and id_token is HS256 #727 (luisrudge)
Fixed
- Fix storing values when DOM storage is not available #737 (luisrudge)
- getSSOData should call /ssodata from the ULP #733 (luisrudge)
- Return /userinfo error inside the token validation callback #724 (luisrudge)
v9.4.2 (2018-03-28)
Added
v9.4.1 (2018-03-22)
Fixed
v9.4.0 (2018-03-22)
Added
v9.3.4 (2018-03-21)
Added
v9.3.3 (2018-03-09)
Added
Fixed
- Use CookieStorage when accessing localStorage throws an error #698 (luisrudge)
- Remove
emailparam in cross auth login #692 (luisrudge) - Add audience:/userinfo to getSSOData checkSession call #688 (luisrudge)
v9.3.2 (2018-03-02)
Fixed
v9.3.1 (2018-02-28)
v9.3.0 (2018-02-22)
Fixed
- Fix CSRF vulnerability when
hash.stateis empty. Please read more about it here and here. #673 (luisrudge) - Use WinChan on popup.callback again + adding origin check to keep it secure #669 (luisrudge)
- Fixed error handling for auth in popup mode #668 (luisrudge)
- Fix inconsistent cross origin error handling #667 (luisrudge)
v9.2.3 (2018-02-14)
Changed
Fixed
v9.2.2 (2018-02-08)
Fixed
v9.2.1 (2018-02-05)
Fixed
v9.2.0 (2018-02-01)
Added
- Normalized login and passwordlessLogin usage to make it work in embedded and hosted scenarios #646 (luisrudge)
v9.1.3 (2018-01-29)
Fixed
v9.1.2 (2018-01-26)
Fixed
v9.1.1 (2018-01-24)
Fixed
v9.1.0 (2018-01-16)
Changed
v9.0.3 (2018-01-15)
Fixed
- Use window.location.origin instead of window.origin #627 (thoean)
- Do not consider a load event valid if protocol is "about:" #619 (damien-gl)
v9.0.2 (2017-12-29)
Fixed
v9.0.1 (2017-12-26)
Changed
v9.0.0 (2017-12-21)
Breaking change
Auth0.js v9 uses our latest embedded login API. This version removes API calls to usernamepassword/login and user/ssodata and is not supported in centralized login scenarios (i.e. Hosted Login Pages). If you are using a Hosted Login Page, keep using Auth0.js v8.
The scenarios below use a mix of Cross Origin Authentication and WebAuth.checkSession. Read more about Cross Origin Authentication and how to enable Web Origins here.
We wrote a Migration Guide to make upgrading your app easy. If you need help, please reach out to our amazing support team at https://support.auth0.com.
Breaking change
WebAuth.client.getSSOData now uses WebAuth.checkSession and a local cache to obtain the resulting data.
Breaking change
WebAuth.client.loginWithCredentials now uses Cross Origin Authentication to handle authentication requests.
Breaking change
WebAuth.client.signupAndLogin now uses Cross Origin Authentication to handle the authentication request after the signup.
Breaking change
WebAuth.popup.loginWithCredentials now uses Cross Origin Authentication and WebAuth.checkSession to handle authentication requests without making a page redirect.
v8.10.1 (2017-09-19)
Changed
v8.10.0 (2017-09-18)
Added
Fixed
- Fixing tenant override in popup mode #501 (luisrudge)
- Allow overriding the timeout as part of the renewAuth method #497 (dctoon)
v8.9.3 (2017-08-21)
Fixed
v8.9.2 (2017-08-17)
Fixed
v8.9.1 (2017-08-11)
Fixed
v8.9.0 (2017-08-10)
Added
- Add flag to retry requests #484 (luisrudge)
- Add cross-origin-auth support to Passwordless #482 (luisrudge)
Changed
Fixed
v8.8.0 (2017-06-20)
Changed
Fixed
v8.7.0 (2017-05-24)
Added
- Adding
scopeto the parsed hash object #434 (luisrudge) - Add option to filter iframe events to prevent incorrect events triggering callbacks #432 (aaronchilcott)
- Adding cross-origin-auth sessionless flow #431 (luisrudge)
- Adding new LoginTicket flow (with session) #426 (hzalaz)
Changed
- Sending all /co/authenticate errors to the error callback #443 (luisrudge)
- Fix some examples and docs + using https everywhere #436 (luisrudge)
Fixed
- Add login_ticket to params whitelist #442 (luisrudge)
- Fix decoding base64 string with special characters #440 (luisrudge)
- Fixed issues with overrides not being used #430 (sandrinodimattia)
v8.6.1 (2017-05-08)
Fixed
v8.6.0 (2017-04-24)
Fixed
v8.5.0 (2017-03-27)
Changed
Fixed
- Fixing error handling for when the error comes as a successful response from WinChan #395 (luisrudge)
- Correct spelling mistake in web-auth JSDoc resulting in incorrect autocomplete suggestions #388 (Geeman201)
v8.4.0 (2017-03-13)
Full Changelog Closed issues
- winchanOptions missing parameters #378
- 'Nonce does not match' error when state data contains '=' encoded as %3D #377
Added
Changed
- Whitelist resource owner parameters #386 (hzalaz)
- Only allow to be used in node 6.9 or later #385 (hzalaz)
- Restrict what popupOptions fields are used #383 (hzalaz)
- Replace querystring implementation with qs module #382 (selaux)
- Deprecation warning: webauth.login → webauth.authorize #367 (dtinth)
Fixed
v8.3.0 (2017-03-01)
Added
- Integration tests #346 (glena)
- Whitelist nonce, state, _csrf and _instate from constructor #345 (glena)
- Added flag to disable id_token verification for legacy Auth0 Applications #341 (glena)
- Popup no owp #337 (glena)
Changed
- Remove warnings around refreshing session #353 (hzalaz)
- Updated passwordless start jsdocs #340 (glena)
Fixed
v8.2.0 (2017-01-30)
Added
Fixed
v8.1.3 (2017-01-23)
Fixed
v8.1.2 (2017-01-19)
Fixed
v8.1.1 (2017-01-17)
Changed
Removed
Fixed
v8.1.0 (2017-01-17)
Added
Fixed
- Fix passwordless #315 (glena)
- Passwordless start: map params to authParams and fix tests #306 (glena)
- Fix transaction usage to delete what is stored in local storage #298 (glena)
Breaking changes
v8.0.4 (2017-01-06)
Fixed
v8.0.3 (2017-01-06)
Added
v8.0.2 (2017-01-05)
Fixed
v8.0.1 (2017-01-04)
Fixed
v8.0.0 (2017-01-03)
In v8 auth0.js is divided in three different components:
- WebAuth: Handles all AuthN/AuthZ flows with redirect/popup inside the browser and related Auth API endpoints, e.g.
/logout. - AuthenticationAPI: Helper methods for calling Auth0 Authentication API
- ManagementAPI: Helper methods for calling Auth0 Management API
To get started you can just create a WebAuth instance like this
var auth0 = new auth0.WebAuth({
domain: '{YOUR_AUTH0_DOMAIN}',
clientID: '{YOUR_AUTH0_CLIENT_ID}'
});Since auth0.js is intended to be used in javascript clients running in the browser most of the times an instance of
WebAuthis needed.
And if you ever need to perform an xhr request to Auth0 Authentication API, WebAuth exposes an instance of AuthenticationAPI
auth0.client.userInfo(accessToken, function (error, userInfo) {
// User information or error
});Added
- add token validation and signature verification to the parseHash method #278 (glena)
- Add method to signup and login using password-realm #277 (glena)
Breaking changes
v8.0.0-beta.3 (2016-12-19)
Fixed
v8.0.0-beta.2 (2016-12-16)
Added
Fixed
v8.0.0-beta.1 (2016-12-14)
Added
- Add get user country method for passwordless #267 (glena)
- Login with password realm grant via /oauth/token #265 (glena)
Changed
- Add standard fields to parseHash and normalize responses to camelCase #261 (glena)
- Add Whitelist of authorize parameters #258 (glena)
Fixed
v8.0.0-alpha.2 (2016-12-05)
Closed issues
- redirectUri should not be mandatory in the constructor #249
- responseMode should be part of the constructor params #247
- Check if all the methods accepts the same parames from constructor #246
Added
- Preload window for popup signup and login #256 (glena)
- Quirks mode and deprecations warning #255 (glena)
- Added responseMode, all methods uses the same params from construct, redirectUri is not mandatory #253 (glena)
- Added sso data client #251 (glena)
- V8 Popup mode #245 (glena)
- Added nonce and status to mitigate replay attacks #244 (glena)
Changed
v8.0.0-alpha.1 (2016-11-21)
Added