Skip to content

Latest commit

 

History

History
907 lines (492 loc) · 40.5 KB

CHANGELOG.md

File metadata and controls

907 lines (492 loc) · 40.5 KB

v9.14.3 (2021-01-26)

Full Changelog

Changed

v9.14.2 (2021-01-14)

Full Changelog

v9.14.2 is a maintenance release to fix a faulty NPM package - there are no additional changes from 9.14.1.

v9.14.1 (2021-01-14)

Full Changelog

Changed

v9.14.0 (2020-09-11)

Full Changelog

Added

Fixed

Security

v9.13.4 (2020-07-02)

Full Changelog

Changed

  • [CAUTH-423] Add login state if available to the sign-up request #1117 (jfromaniello)

v9.13.3 (2020-06-26)

Full Changelog

Changed

Fixed

v9.13.2 (2020-04-09)

Full Changelog

Fixed

Security

v9.13.1 (2020-04-01)

Full Changelog

Fixed

Security

v9.13.0 (2020-03-27)

Full Changelog

Added

v9.12.2 (2020-01-14)

Full Changelog

Changed

Security

v9.12.1 (2019-12-17)

Full Changelog

Fixed

v9.12.0 (2019-12-11)

Full Changelog

Added

Fixed

Security

v9.11.3 (2019-07-23)

Fixed

Use cdn-uploader from NPM.

Full Changelog

v9.11.2 (2019-07-15)

Full Changelog

Fixed

  • Upgrade idtoken-verifier to fix importing auth0.js in SSR apps #965 (luisrudge)

v9.11.1 (2019-06-27)

Full Changelog

Fixed

  • Fix nonce error when id_token doesn't have a nonce #954 (luisrudge)

v9.11.0 (2019-06-25)

Full Changelog

Added

Changed

Fixed

v9.10.4 (2019-05-24)

Full Changelog

Fixed

v9.10.3 (2019-05-22)

Full Changelog

v9.10.2 (2019-04-15)

Full Changelog

Changed

v9.10.1 (2019-03-18)

Full Changelog

Fixed

  • Throw nonce error when using HS256 id_tokens #913 (luisrudge)
  • Fix different id_token payload casing between authorize and popup.authorize #911 (luisrudge)

v9.10.0 (2019-01-28)

Full Changelog

Changed

  • Trim username, email and phoneNumber params in every request #895 (ScottRudiger)

v9.9.1 (2019-01-23)

Full Changelog

Fixed

  • Don't store transactions when inside the hosted login page #899 (luisrudge)

v9.9.0 (2019-01-10)

Full Changelog

Fixed

  • Don't use storage when inside the Universal Login Page #889 (luisrudge)

v9.8.2 (2018-11-13)

Full Changelog

Fixed

  • Prevent checkSession to be called without a redirect_uri #851 (ojas360)
  • Parse file protocol from Url #846 (anion155)

v9.8.1 (2018-10-23)

Full Changelog

Fixed

  • Fixed transaction state not being set to expire in 30 minutes #835 (sayuti-daniel)
  • Fix incorrect error wrapping for signup/change password errors #829 (luisrudge)

v9.8.0 (2018-09-26)

Full Changelog

Released

  • Start using cookies instead of localStorage by default #817 (luisrudge)

v9.7.4-beta1 (2018-08-28)

Full Changelog

Changed

  • Start using cookies instead of localStorage by default #817 (luisrudge)

v9.7.3 (2018-07-23)

Full Changelog

Fixed

v9.7.3-beta1 (2018-07-18)

Full Changelog

Fixed

  • Fix npm module export #808 (luisrudge)
    • We're testing the new module export to make sure we restore the previous behavior before committing to a patch fix

v9.7.2 (2018-07-13)

Full Changelog

Fixed

v9.7.1 (2018-07-13)

Full Changelog

Fixed

  • Fix build folder not being published in the tag #801 (luisrudge)

v9.7.0 (2018-07-12)

Full Changelog

Added

Fixed

  • options is optional in WebAuth.prototype.authorize #789 (behrangsa)
  • Removing domain option from methods (it can't be overridden) #781 (luisrudge)

v9.6.1 (2018-06-07)

Full Changelog

Fixed

  • Remove global from window helpers #764 (fetis)

v9.6.0 (2018-05-28)

Full Changelog

Changed

  • Added access_type and display to the parameters-whitelist #760 (lordnox)

Fixed

  • Clear local state when checkSession call fails #758 (luisrudge)

v9.5.1 (2018-04-28)

Full Changelog

Fixed

v9.5.0 (2018-04-24)

Full Changelog

Added

  • Add transaction manager to passwordlessLogin and login #731 (luisrudge)
  • Add error message when there is no access_token and id_token is HS256 #727 (luisrudge)

Fixed

  • Fix storing values when DOM storage is not available #737 (luisrudge)
  • getSSOData should call /ssodata from the ULP #733 (luisrudge)
  • Return /userinfo error inside the token validation callback #724 (luisrudge)

v9.4.2 (2018-03-28)

Full Changelog

Added

v9.4.1 (2018-03-22)

Full Changelog

Fixed

  • Don't validate access_token when there is no payload.at_hash claim #718 (luisrudge)

v9.4.0 (2018-03-22)

Full Changelog

Added

  • Adding access_token validation for RS256 id_token's #709 (luisrudge)

v9.3.4 (2018-03-21)

Full Changelog

Added

  • Add flag __enableIdPInitiatedLogin to enable idp initiated logins #708 (luisrudge)

v9.3.3 (2018-03-09)

Full Changelog

Added

  • Add __enableImpersonation flag to enable impersonation again #689 (luisrudge)

Fixed

  • Use CookieStorage when accessing localStorage throws an error #698 (luisrudge)
  • Remove email param in cross auth login #692 (luisrudge)
  • Add audience:/userinfo to getSSOData checkSession call #688 (luisrudge)

v9.3.2 (2018-03-02)

Full Changelog

Fixed

  • Adding legacy error handling for co/auth endpoint #685 (luisrudge)

v9.3.1 (2018-02-28)

Full Changelog

v9.3.0 (2018-02-22)

Full Changelog

Fixed

  • Fix CSRF vulnerability when hash.state is empty. Please read more about it here and here. #673 (luisrudge)
  • Use WinChan on popup.callback again + adding origin check to keep it secure #669 (luisrudge)
  • Fixed error handling for auth in popup mode #668 (luisrudge)
  • Fix inconsistent cross origin error handling #667 (luisrudge)

v9.2.3 (2018-02-14)

Full Changelog

Changed

  • Use webAuth.login when calling signupAndLogin to support Universal Login Page #664 (luisrudge)

Fixed

v9.2.2 (2018-02-08)

Full Changelog

Fixed

  • Making Authentication constructor accept one or two params #657 (luisrudge)

v9.2.1 (2018-02-05)

Full Changelog

Fixed

  • Remove origin check from checkSession when redirectUri is empty #653 (luisrudge)

v9.2.0 (2018-02-01)

Full Changelog

Added

  • Normalized login and passwordlessLogin usage to make it work in embedded and hosted scenarios #646 (luisrudge)

v9.1.3 (2018-01-29)

Full Changelog

Fixed

v9.1.2 (2018-01-26)

Full Changelog

Fixed

v9.1.1 (2018-01-24)

Full Changelog

Fixed

v9.1.0 (2018-01-16)

Full Changelog

Changed

  • Validate current window origin and redirecturi origin to prevent mismatches #615 (luisrudge)

v9.0.3 (2018-01-15)

Full Changelog

Fixed

  • Use window.location.origin instead of window.origin #627 (thoean)
  • Do not consider a load event valid if protocol is "about:" #619 (damien-gl)

v9.0.2 (2017-12-29)

Full Changelog

Fixed

v9.0.1 (2017-12-26)

Full Changelog

Changed

v9.0.0 (2017-12-21)

Full Changelog

Breaking change Auth0.js v9 uses our latest embedded login API. This version removes API calls to usernamepassword/login and user/ssodata and is not supported in centralized login scenarios (i.e. Hosted Login Pages). If you are using a Hosted Login Page, keep using Auth0.js v8.

The scenarios below use a mix of Cross Origin Authentication and WebAuth.checkSession. Read more about Cross Origin Authentication and how to enable Web Origins here.

We wrote a Migration Guide to make upgrading your app easy. If you need help, please reach out to our amazing support team at https://support.auth0.com.

Breaking change WebAuth.client.getSSOData now uses WebAuth.checkSession and a local cache to obtain the resulting data.

Breaking change WebAuth.client.loginWithCredentials now uses Cross Origin Authentication to handle authentication requests.

Breaking change WebAuth.client.signupAndLogin now uses Cross Origin Authentication to handle the authentication request after the signup.

Breaking change WebAuth.popup.loginWithCredentials now uses Cross Origin Authentication and WebAuth.checkSession to handle authentication requests without making a page redirect.

v8.10.1 (2017-09-19)

Full Changelog

Changed

  • Removing renewSession and keeping only checkSession #505 (luisrudge)

v8.10.0 (2017-09-18)

Full Changelog

Added

Fixed

  • Fixing tenant override in popup mode #501 (luisrudge)
  • Allow overriding the timeout as part of the renewAuth method #497 (dctoon)

v8.9.3 (2017-08-21)

Full Changelog

Fixed

  • Using transaction manager on passwordlessStart #492 (luisrudge)

v8.9.2 (2017-08-17)

Full Changelog

Fixed

v8.9.1 (2017-08-11)

Full Changelog

Fixed

v8.9.0 (2017-08-10)

Full Changelog

Added

Changed

  • Avoid snake casing of metadata on signup #475 (hzalaz)

Fixed

  • Send empty verifier when can't access sessionStorage #470 (luisrudge)

v8.8.0 (2017-06-20)

Full Changelog

Changed

Fixed

  • Fix passwordless inside hosted login page #459 (hzalaz)

v8.7.0 (2017-05-24)

Full Changelog

Added

  • Adding scope to the parsed hash object #434 (luisrudge)
  • Add option to filter iframe events to prevent incorrect events triggering callbacks #432 (aaronchilcott)
  • Adding cross-origin-auth sessionless flow #431 (luisrudge)
  • Adding new LoginTicket flow (with session) #426 (hzalaz)

Changed

  • Sending all /co/authenticate errors to the error callback #443 (luisrudge)
  • Fix some examples and docs + using https everywhere #436 (luisrudge)

Fixed

v8.6.1 (2017-05-08)

Full Changelog

Fixed

  • Fix postMessage handler to handle parsed objects as well #420 (luisrudge)

v8.6.0 (2017-04-24)

Full Changelog

Fixed

v8.5.0 (2017-03-27)

Full Changelog

Changed

Fixed

  • Fixing error handling for when the error comes as a successful response from WinChan #395 (luisrudge)
  • Correct spelling mistake in web-auth JSDoc resulting in incorrect autocomplete suggestions #388 (Geeman201)

v8.4.0 (2017-03-13)

Full Changelog Closed issues

  • winchanOptions missing parameters #378
  • 'Nonce does not match' error when state data contains '=' encoded as %3D #377

Added

  • Added possibility to specify custom popup size #379 (artemtool)

Changed

  • Whitelist resource owner parameters #386 (hzalaz)
  • Only allow to be used in node 6.9 or later #385 (hzalaz)
  • Restrict what popupOptions fields are used #383 (hzalaz)
  • Replace querystring implementation with qs module #382 (selaux)
  • Deprecation warning: webauth.login → webauth.authorize #367 (dtinth)

Fixed

  • Pass to popup the needed params for auth #381 (hzalaz)

v8.3.0 (2017-03-01)

Full Changelog

Added

  • Integration tests #346 (glena)
  • Whitelist nonce, state, _csrf and _instate from constructor #345 (glena)
  • Added flag to disable id_token verification for legacy Auth0 Applications #341 (glena)
  • Popup no owp #337 (glena)

Changed

  • Remove warnings around refreshing session #353 (hzalaz)
  • Updated passwordless start jsdocs #340 (glena)

Fixed

v8.2.0 (2017-01-30)

Full Changelog

Added

  • Plugins support + cordova plugin #333 (glena)

Fixed

  • popup.authorize should not require redirectURI when using OWP #336 (glena)

v8.1.3 (2017-01-23)

Full Changelog

Fixed

  • Fix case convertion of null values #329 (glena)

v8.1.2 (2017-01-19)

Full Changelog

Fixed

  • Fixed params whitelist for authorize endpoint #324 (glena)

v8.1.1 (2017-01-17)

Full Changelog

Changed

Removed

  • Revert "Fallback to math.random if there is no crypto support" #320 (glena)

Fixed

v8.1.0 (2017-01-17)

Full Changelog

Added

  • Fallback to math.random if there is no crypto support #316 (glena)

Fixed

  • Fix passwordless #315 (glena)
  • Passwordless start: map params to authParams and fix tests #306 (glena)
  • Fix transaction usage to delete what is stored in local storage #298 (glena)

Breaking changes

  • Do not change casing of the user profile object #307 (glena)

v8.0.4 (2017-01-06)

Full Changelog

Fixed

v8.0.3 (2017-01-06)

Full Changelog

Added

  • Add the option to provide a leeway #292 (glena)

v8.0.2 (2017-01-05)

Full Changelog

Fixed

v8.0.1 (2017-01-04)

Full Changelog

Fixed

  • Fix getSSOData failing due to extra headers #284 (glena)

v8.0.0 (2017-01-03)

Full Changelog

In v8 auth0.js is divided in three different components:

  • WebAuth: Handles all AuthN/AuthZ flows with redirect/popup inside the browser and related Auth API endpoints, e.g. /logout.
  • AuthenticationAPI: Helper methods for calling Auth0 Authentication API
  • ManagementAPI: Helper methods for calling Auth0 Management API

To get started you can just create a WebAuth instance like this

var auth0 = new auth0.WebAuth({
  domain: '{YOUR_AUTH0_DOMAIN}',
  clientID: '{YOUR_AUTH0_CLIENT_ID}'
});

Since auth0.js is intended to be used in javascript clients running in the browser most of the times an instance of WebAuth is needed.

And if you ever need to perform an xhr request to Auth0 Authentication API, WebAuth exposes an instance of AuthenticationAPI

auth0.client.userInfo(accessToken, function(error, userInfo) {
  // User information or error
});

Added

  • add token validation and signature verification to the parseHash method #278 (glena)
  • Add method to signup and login using password-realm #277 (glena)

Breaking changes

  • Rename methods based on authN and authZ type #280 (glena)

v8.0.0-beta.3 (2016-12-19)

Full Changelog

Fixed

  • special handling for popup error responses #276 (glena)

v8.0.0-beta.2 (2016-12-16)

Full Changelog

Added

Fixed

  • Return policy attr in errors + responseType validation #273 (glena)

v8.0.0-beta.1 (2016-12-14)

Full Changelog

Added

  • Add get user country method for passwordless #267 (glena)
  • Login with password realm grant via /oauth/token #265 (glena)

Changed

  • Add standard fields to parseHash and normalize responses to camelCase #261 (glena)
  • Add Whitelist of authorize parameters #258 (glena)

Fixed

v8.0.0-alpha.2 (2016-12-05)

Full Changelog

Closed issues

  • redirectUri should not be mandatory in the constructor #249
  • responseMode should be part of the constructor params #247
  • Check if all the methods accepts the same parames from constructor #246

Added

  • Preload window for popup signup and login #256 (glena)
  • Quirks mode and deprecations warning #255 (glena)
  • Added responseMode, all methods uses the same params from construct, redirectUri is not mandatory #253 (glena)
  • Added sso data client #251 (glena)
  • V8 Popup mode #245 (glena)
  • Added nonce and status to mitigate replay attacks #244 (glena)

Changed

v8.0.0-alpha.1 (2016-11-21)

Full Changelog

Added

  • Change webauth structure + Allow to abort requests #240 (glena)
  • added extra options + snake to camel all the options #236 (glena)
  • V8: Signup and passwordless #232 (glena)
  • Webauth redirect login/callback #231 (glena)