Okta Auth JavaScript SDK

• Release status
• Need help?
  • Browser compatibility / polyfill
  • Third party cookies
• Getting started
• Usage guide
• Strategies for Obtaining Tokens
• Configuration reference
• API Reference
• Building the SDK
• Node JS and React Native Usage
• Migrating from previous versions
• Contributing

The Okta Auth JavaScript SDK builds on top of our Authentication API and OpenID Connect & OAuth 2.0 API to enable you to create a fully branded sign-in experience using JavaScript.

You can learn more on the Okta + JavaScript page in our documentation.

This library uses semantic versioning and follows Okta's library version policy.

:warning: :warning: :warning: :warning: :warning: :warning: :warning: :warning: :warning:

:warning: Bulletin Board :warning:

• Review Future of autoRenew
  
• Review End of Third-Party Cookies
  

  :warning: :warning: :warning: :warning: :warning: :warning: :warning: :warning::warning:
  

Release Status

:heavy_check_mark: The current stable major version series is: 7.x

The latest release can always be found on the releases page.

Need help?

If you run into problems using the SDK, you can:

• Ask questions on the Okta Developer Forums
• Post issues here on GitHub (for code errors)

Users migrating from previous versions of this SDK should see Migrating Guide to learn what changes are necessary.

Browser compatibility / polyfill

This SDK is known to work with current versions of Chrome, Firefox, and Safari on desktop and mobile.

Compatibility with IE 11 / Edge can be accomplished by adding polyfill/shims for the following objects:

• ES Promise
• Array.from
• TextEncoder
• Object.assign
• UInt8 typed array
• webcrypto (crypto.subtle)

:warning: crypto polyfills are unable to use the operating system as a source of good quality entropy used to generate pseudo-random numbers that are the key to good cryptography. As such we take the posture that crypto polyfills are less secure and we advise against using them.

This module provides an entrypoint that implements all required polyfills.

If you are using the JS on a web page from the browser, you can copy the node_modules/@okta/okta-auth-js/dist contents to publicly hosted directory, and include a reference to the okta-auth-js.polyfill.js file in a <script> tag. It should be loaded before any other scripts which depend on the polyfill.

If you're using a bundler like Webpack or Browserify, you can simply import import or require @okta/okta-auth-js/polyfill at or near the beginning of your application's code:

import '@okta/okta-auth-js/polyfill';

or

require('@okta/okta-auth-js/polyfill');

The built polyfill bundle is also available on our global CDN. Include the following script in your HTML file to load before any other scripts:

<script src="https://global.oktacdn.com/okta-auth-js/7.5.1/okta-auth-js.polyfill.js" type="text/javascript" integrity="sha384-EBFsuVdi4TGp/DwS7b+t+wA8zmWK10omkX05ZjJWQhzWuW31t7FWEGOnHQeIr8+L" crossorigin="anonymous"></script>

:warning: The version shown in this sample may be older than the current version. We recommend using the highest version available

Third party cookies

Many browsers have started blocking cross-origin or "third party" cookies by default. Although most of the Okta APIs supported by this SDK do not rely upon cookies, there are a few methods which do. These methods will break if third party cookies are blocked:

• session APIs require access to cookies stored on the Okta domain.
  • session.setCookieAndRedirect
  • session.exists
  • session.get
  • session.refresh
  • closeSession
• token
  • token.getWithoutPrompt must have access to cookies on the Okta domain via an iFrame running on your application's page.
  • token.renew uses token.getWithoutPrompt and is subject to the same limitations.

If your application depends on any of these methods, you should try to either rewrite your application to avoid using these methods or communicate to your users that they must enable third party cookies. Okta engineers are currently working on a better long-term solution to this problem.

Getting started

Installing the Authentication SDK is simple. You can include it in your project via our npm package, @okta/okta-auth-js.

You'll also need:

• An Okta account, called an organization (sign up for a free developer organization if you need one)
• An Okta application, which can be created using the Okta Admin UI

Creating your Okta application

When creating a new Okta application, you can specify the application type. This SDK is designed to work with SPA (Single-page Applications) or Web applications. A SPA application will perform all logic and authorization flows client-side. A Web application will perform authorization flows on the server.

Configuring your Okta application

From the Okta Admin UI, click Applications, then select your application. You can view and edit your Okta application's configuration under the application's General tab.

Client ID

A string which uniquely identifies your Okta application.

Login redirect URIs

To sign users in, your application redirects the browser to an Okta-hosted sign-in page. Okta then redirects back to your application with information about the user. You can learn more about how this works on Okta-hosted flows.

You need to whitelist the login redirect URL in your Okta application settings.

Logout redirect URIs

After you sign users out of your app and out of Okta, you have to redirect users to a specific location in your application. You need to whitelist the post sign-out URL in your Okta application settings.

Using the npm module

Using our npm module is a good choice if:

• You have a build system in place where you manage dependencies with npm.
• You do not want to load scripts directly from third party sites.

To install @okta/okta-auth-js:

# Run this command in your project root folder.
# yarn
yarn add @okta/okta-auth-js

# npm
npm install --save @okta/okta-auth-js

If you are using the JS on a web page from the browser, you can copy the node_modules/@okta/okta-auth-js/dist contents to publicly hosted directory, and include a reference to the okta-auth-js.min.js file in a <script> tag.

The built library bundle is also available on our global CDN. Include the following script in your HTML file to load before your application script:

<script src="https://global.oktacdn.com/okta-auth-js/7.5.1/okta-auth-js.min.js" type="text/javascript" integrity="sha384-6epSwnIDkI5zFNEVNjEYy3A7aSZ+C7ehmEyG8zDJZfP9Bmnxc51TK8du+2me4pjb" crossorigin="anonymous"></script>

:warning: The version shown in this sample may be older than the current version. We recommend using the highest version available

Then you can create an instance of the OktaAuth object, available globally.

const oktaAuth = new OktaAuth({
  // config
})

However, if you're using a bundler like Webpack or Rollup you can simply import or require the module.

// ES module
import { OktaAuth } from '@okta/okta-auth-js'
const authClient = new OktaAuth(/* configOptions */)

// CommonJS
var OktaAuth = require('@okta/okta-auth-js').OktaAuth;
var authClient = new OktaAuth(/* configOptions */);

Usage guide

For an overview of the client's features and authentication flows, check out our developer docs. There, you will learn how to use the Auth SDK on a simple static page to:

• Retrieve and store an OpenID Connect (OIDC) token
• Get an Okta session

:warning: The developer docs may be written for an earlier version of this library. See Migrating from previous versions.

You can also browse the full API reference documentation.

:hourglass: Async methods return a promise which will resolve on success. The promise may reject if an error occurs.

Example Client

var config = {
  issuer: 'https://{yourOktaDomain}/oauth2/default',
  clientId: 'GHtf9iJdr60A9IYrR0jw',
  redirectUri: 'https://acme.com/oauth2/callback/home',
};

var authClient = new OktaAuth(config);

Running as a service

By default, creating a new instance of OktaAuth will not create any asynchronous side-effects. However, certain features such as token auto renew, token auto remove and cross-tab synchronization require OktaAuth to be running as a service. This means timeouts are set in the background which will continue working until the service is stopped. To start the OktaAuth service, simply call the start method right after creation and before calling other methods like handleRedirect. To terminate all background processes, call stop. See Service Configuration for more info.

  var authClient = new OktaAuth(config);
  await authClient.start(); // start the service
  await authClient.stop(); // stop the service

Note: Starting the service will also call authStateManager.updateAuthState.

Usage with Typescript

Type definitions are provided implicitly through the types entry in package.json. Types can also be referenced explicitly by importing them.

import {
  OktaAuth,
  OktaAuthOptions,
  TokenManagerInterface,
  AccessToken,
  IDToken,
  UserClaims,
  TokenParams
} from '@okta/okta-auth-js';

const config: OktaAuthOptions = {
  issuer: 'https://{yourOktaDomain}'
};

const authClient: OktaAuth = new OktaAuth(config);
const tokenManager: TokenManagerInterface = authClient.tokenManager;
const accessToken: AccessToken = await tokenManager.get('accessToken') as AccessToken;
const idToken: IDToken = await tokenManager.get('idToken') as IDToken;
const userInfo: UserClaims = await authClient.token.getUserInfo(accessToken, idToken);

if (!userInfo) {
  const tokenParams: TokenParams = {
    scopes: ['openid', 'email', 'custom_scope'],
  };
  authClient.token.getWithRedirect(tokenParams);
}

Usage with Typescript < 3.6

Typescript versions prior to 3.6 have no type definitions for WebAuthn. Support for WebAuthn in IDX API was introduced in @okta/okta-auth-js@6.1.0. To solve this issue please install package @types/webappsec-credential-management version ^0.5.1.

Strategies for Obtaining Tokens

Authorization Code flow for web and native client types

Web and native clients can obtain tokens using the authorization_code flow which uses a client secret stored in a secure location. (SPA applications should use the PKCE flow which does not use a client secret) To use the authorization_code flow, set responseType to "code" and pkce to false:

var config = {
  // Required config
  issuer: 'https://{yourOktaDomain}/oauth2/default',
  clientId: 'GHtf9iJdr60A9IYrR0jw',
  redirectUri: 'https://acme.com/oauth2/callback/home',

  // Use authorization_code flow
  responseType: 'code',
  pkce: false
};

var authClient = new OktaAuth(config);

PKCE OAuth 2.0 flow

The PKCE OAuth flow will be used by default. This library supports PKCE for both browser and NodeJS applications. PKCE is widely supported by most modern browsers when running on an HTTPS connection. PKCE requires that the browser implements crypto.subtle (also known as webcrypto). Most modern browsers provide this when running in a secure context (on an HTTPS connection). PKCE also requires the TextEncoder object. This is available on all major browsers except IE 11 and Edge < v79. To add support, we recommend using a polyfill/shim such as text-encoding.

If the user's browser does not support PKCE, an exception will be thrown. You can test if a browser supports PKCE before construction with this static method:

OktaAuth.features.isPKCESupported()

Implicit OAuth 2.0 flow

:warning: We strongly discourage using the implicit flow. Use PKCE and/or client credentials if possible.

Implicit OAuth flow is available as an option if PKCE flow cannot be supported in your deployment. It is widely supported by most browsers, and can work over an insecure HTTP connection. Note that implicit flow is less secure than PKCE flow, even over HTTPS, since raw tokens are exposed in the browser's history. For this reason, we highly recommending using the PKCE flow if possible.

Implicit flow can be enabled by setting the pkce option to false

var config = {
  pkce:  false,

  // other config
  issuer: 'https://{yourOktaDomain}/oauth2/default',
};

var authClient = new OktaAuth(config);

Redirects and Routing

To sign a user in, your application must redirect the browser to the Okta-hosted sign-in page.

Note: Initial redirect to Okta-hosted sign-in page starts a transaction with a stateToken lifetime set to one hour.

After successful authentication, the browser is redirected back to your application along with information about the user. Depending on your preferences it is possible to use the following callback strategies.

Handling the callback without routing

Most applications will handle an OAuth callback using a special route/page, separate from the signin page. However some SPA applications have no routing logic and will want to handle everything in a single page.

1. Create / configure your auth-js instance
2. Before starting the OktaAuth service, or making any other API calls with auth-js , call token.isLoginRedirect - if this returns true, call token.parseFromUrl and save tokens using tokenManager.setTokens. It’s important that no other app logic runs until the async parseFromUrl / token manager logic is complete
3. After this, continue normal app logic

async function main() {
  // create OktaAuth instance
  var config = {
    issuer: 'https://{yourOktaDomain}/oauth2/default',
    clientId: 'GHtf9iJdr60A9IYrR0jw',
    redirectUri: 'https://acme.com/oauth2/callback/home',
  };
  authClient = new OktaAuth(config);

  // Subscribe to authState change event.
  authClient.authStateManager.subscribe(function(authState) {
    // Logic based on authState is done here.
    if (!authState.isAuthenticated) {
      // render unathenticated view
      return;
    }

    // Render authenticated view
  });

  // Handle callback
  if (authClient.token.isLoginRedirect()) {
    const { tokens } = await authClient.token.parseFromUrl(); // remember to "await" this async call
    authClient.tokenManager.setTokens(tokens);
  }

  // normal app startup
  authClient.start(); // will update auth state and call event listeners
}

Handling the callback with hash routing

According to the OAuth 2.0 spec the redirect URI "MUST NOT contain a fragment component": https://tools.ietf.org/html/rfc6749#section-3.1.2 When using a hash/fragment routing strategy and OAuth 2.0, the redirect callback will be the main / default route. The redirect callback flow will be very similar to handling the callback without routing. We recommend defining the logic that will parse redirect url at the very beginning of your app, before any other authorization checks.

Additionally, if using hash routing, we recommend using PKCE and responseMode "query" (this is the default for PKCE). With implicit flow, tokens in the hash could cause unpredictable results since hash routers may rewrite the fragment.

Handling the callback with path routing (on a dedicated route)

1. Define a redirectUri that maps to a dedicated route in your app
2. Before redirect, save the current route: setOriginalUri
3. Do the redirect to okta: token.getWithRedirect
4. After successful authentication, Okta will redirect back to the configured redirectUri, your app should load on the dedicated callback route
5. On this callback page:
   1. call token.parseFromUrl to retrieve tokens
   2. Add tokens to the TokenManager: tokenManager.setTokens
6. Read saved route and redirect to it: getOriginalUri

Enabling DPoP

_{^{Reference: DPoP (Demonstrating Proof-of-Possession) - RFC9449}}

Requirements

• DPoP must be enabled in your Okta application (Guide: Configure DPoP)
• Only supported on web (browser)
• https is required. A secure context is required for WebCrypto.subtle
• Targeted browsers must support IndexedDB (MDN, caniuse)
• :warning: IE11 (and lower) is not supported!

Configuration

const config = {
  // other configurations
  pkce: true,     // required
  dpop: true,
  dpopOptions: {
    // set to `true` to skip the validation to check the resulting token response includes `token_type: DPoP`
    allowBearerTokens: false    // defaults to `false`, tokens are validated to include `token_type: DPoP`
  }
};

const authClient = new OktaAuth(config);

Providing DPoP Proof to Resource Requests

_{^{Reference: The DPoP Authentication Scheme (RFC9449)}}

DPoP-Protected Resource Request (link)

GET /protectedresource HTTP/1.1
Host: resource.example.org
Authorization: DPoP Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU
DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsIm...

Fetching DPoP-Protected Resource

async function dpopAuthenticatedFetch (url, options) {
  const { method } = options;
  const dpop = await authClient.getDPoPAuthorizationHeaders({ url, method });
  // dpop = { Authorization: "DPoP token****", Dpop: "proof****" }
  const headers = new Headers({...options.headers, ...dpop});
  return fetch(url, {...options, headers });
}

Handling use_dpop_nonce

_{^{Reference: Resource Server-Provided Nonce (RFC9449)}}

Resource servers can also choose to provide a nonce value to be included in DPoP proofs sent to them. They provide the nonce using the DPoP-Nonce header in the same way that authorization servers do...

Resource Server Response

HTTP/1.1 401 Unauthorized
WWW-Authenticate: DPoP error="use_dpop_nonce", \
   error_description="Resource server requires nonce in DPoP proof"
DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v

Handling Response

async function dpopAuthenticatedFetch (url, options) {
  // ...previous example...
  const resp = await fetch(url, {...options, headers });
  // resp = HTTP/1.1 401 Unauthorized...

  if (!resp.ok) {
    const nonce = authClient.parseUseDPoPNonceError(resp.headers);
    if (nonce) {
      const retryDpop = await authClient.getDPoPAuthorizationHeaders({ url, method, nonce });
      const retryHeaders = new Headers({...options.headers, ...retryDpop});
      return fetch(url, {...options, headers: retryHeaders });
    }
  }

  return resp;
}

Ensure browser can support DPoP (Recommended)

DPoP requires certain browser features. A user using a browser without the required features will unable to complete a request for tokens. It's recommended to verify browser support during application bootstrapping.

// App.tsx
useEffect(() => {
  if (!authClient.features.isDPoPSupported()) {
    // user will be unable to request tokens
    navigate('/unsupported-error-page');
  }
}, []);

Clear DPoP Storage (Recommended)

DPoP requires the generation of a CryptoKeyPair which needs to be persisted in storage. Methods like signOut() or revokeAccessToken() will clear the key pair, however users don't always explicitly logout. It's therefore good practice to clear storage before login to flush any orphaned key pairs generated from previously requested tokens.

async function login (options) {
  await authClient.clearDPoPStorage();      // clear possibly orphaned key pairs

  return authClient.signInWithRedirect(options);
}

Configuration reference

Whether you are using this SDK to implement an OIDC flow or for communicating with the Authentication API, the only required configuration option is issuer, which is the URL to an Okta Authorization Server

About the Issuer

You may use the URL for your Okta organization as the issuer. This will apply a default authorization policy and issue tokens scoped at the organization level.

var config = {
  issuer: 'https://{yourOktaDomain}'
};

var authClient = new OktaAuth(config);

Okta allows you to create multiple custom OAuth 2.0 authorization servers that you can use to protect your own resource servers. Within each authorization server you can define your own OAuth 2.0 scopes, claims, and access policies. Many organizations have a "default" authorization server.

var config = {
  issuer: 'https://{yourOktaDomain}/oauth2/default'
};

var authClient = new OktaAuth(config);

You may also create and customize additional authorization servers.

var config = {
  issuer: 'https://{yourOktaDomain}/oauth2/custom-auth-server-id'
};

var authClient = new OktaAuth(config);

Configuration options

These options can be included when instantiating Okta Auth JS (new OktaAuth(config)).

issuer

:warning: This option is required

The URL for your Okta organization or an Okta authentication server. About the issuer

clientId

Client Id pre-registered with Okta for the OIDC authentication flow. Creating your Okta application

redirectUri

The url that is redirected to when using token.getWithRedirect. This must be listed in your Okta application's Login redirect URIs. If no redirectUri is provided, defaults to the current origin (window.location.origin). Configuring your Okta application

postLogoutRedirectUri

Specify the url where the browser should be redirected after signOut. This url must be listed in your Okta application's Logout redirect URIs. If not specified, your application's origin (window.location.origin) will be used. Configuring your Okta application |

scopes

Specify what information to make available in the returned id_token or access_token. For OIDC, you must include openid as one of the scopes. Defaults to ['openid', 'email']. For a list of available scopes, see Scopes and Claims

state

A client-provided string that will be passed to the server endpoint and returned in the OAuth response. The value can be used to validate the OAuth response and prevent cross-site request forgery (CSRF). Defaults to a random string.

pkce

Default value is true which enables the PKCE OAuth Flow. To use the Implicit Flow or Authorization Code Flow, set pkce to false.

dpop

Default value is false. Set to true to enable DPoP (Demonstrating Proof-of-Possession (RFC9449))

See Guide: Enabling DPoP

dpopOptions

Default value:

dpopOptions: {
  allowBearerTokens: false
}

See Guide: Enabling DPoP

dpopOptions.allowBearerTokens

When false, dpop-enabled token requests are validated to contain token_type: DPoP and will throw otherwise. Set to true to skip this validation and allow Bearer tokens as a possible token_type. This can be useful during a migration, to avoid needing to update a web application simutaneously with Okta Org configurations. Defaults to false

responseMode

When requesting tokens using token.getWithRedirect values will be returned as parameters appended to the redirectUri.

In most cases you will not need to set a value for responseMode. Defaults are set according to the OpenID Connect 1.0 specification.

• For PKCE OAuth Flow), the authorization code will be in search query of the URL. Clients using the PKCE flow can opt to instead receive the authorization code in the hash fragment by setting the responseMode option to "fragment".

• For Implicit OAuth Flow), tokens will be in the hash fragment of the URL. This cannot be changed.

responseType

Specify the response type for OIDC authentication when using the Implicit OAuth Flow. The default value is ['token', 'id_token'] which will request both an access token and ID token. If pkce is true, both the access and ID token will be requested and this option will be ignored. For web/native applications using the authorization_code flow, this value should be set to "code" and pkce should be set to false.

authorizeUrl

Specify a custom authorizeUrl to perform the OIDC flow. Defaults to the issuer plus "/v1/authorize".

userinfoUrl

Specify a custom userinfoUrl. Defaults to the issuer plus "/v1/userinfo".

tokenUrl

Specify a custom tokenUrl. Defaults to the issuer plus "/v1/token".

ignoreSignature

:warning: This option should be used only for browser support and testing purposes.

ID token signatures are validated by default when token.getWithoutPrompt, token.getWithPopup, token.getWithRedirect, and token.verify are called. To disable ID token signature validation for these methods, set this value to true.

maxClockSkew

Defaults to 300 (five minutes). This is the maximum difference allowed between a client's clock and Okta's, in seconds, when validating tokens. Setting this to 0 is not recommended, because it increases the likelihood that valid tokens will fail validation.

ignoreLifetime

:warning: This option disables token lifetime validation, which can introduce security vulnerability issues. This option should be used for testing purpose. Please handle the error in your own app for production environment.

Token lifetimes are validated using the maxClockSkew. To override this and disable token lifetime validation, set this value to true.

transformAuthState

Callback function. When updateAuthState is called a new authState object is produced. Providing a transformAuthState function allows you to modify or replace this object before it is stored and emitted. A common use case is to change the meaning of isAuthenticated. By default, updateAuthState will set authState.isAuthenticated to true if unexpired tokens are available from tokenManager. This logic could be customized to also require a valid Okta SSO session:

const config = {
  // other config
  transformAuthState: async (oktaAuth, authState) => {
    if (!authState.isAuthenticated) {
      return authState;
    }
    // extra requirement: user must have valid Okta SSO session
    const user = await oktaAuth.token.getUserInfo();
    authState.isAuthenticated = !!user; // convert to boolean
    authState.users = user; // also store user object on authState
    return authState;
  }
};

const oktaAuth = new OktaAuth(config);
oktaAuth.authStateManager.subscribe(authState => {
  // handle latest authState
});
oktaAuth.authStateManager.updateAuthState();

restoreOriginalUri

:link: web browser only

Callback function. When sdk.handleRedirect is called, by default it uses window.location.replace to redirect back to the originalUri. This option overrides the default behavior.

const config = {
  // other config
  restoreOriginalUri: async (oktaAuth, originalUri) => {
    // redirect with custom router
    router.replace({
      path: toRelativeUrl(originalUri, baseUrl)
    });
  }
};

const oktaAuth = new OktaAuth(config);
if (oktaAuth.isLoginRedirect()) {
  try {
    await oktaAuth.handleRedirect();
  } catch (e) {
    // log or display error details
  }
}

devMode

Default to false. It enables debugging logs when set to true.

clientSecret

Used in authorization and interaction code flows by server-side web applications to obtain OAuth tokens. In a production application, this value should never be visible on the client side.

setLocation

Used in authorization and interaction code flows by server-side web applications to customize the redirect process.

httpRequestClient

The http request implementation. By default, this is implemented using cross-fetch. To provide your own request library, implement the following interface:

1. Must accept:
   • method (http method)
   • url (target url)
   • args (object containing headers and data)
2. Must return a Promise that resolves with a raw XMLHttpRequest response

var config = {
  url: 'https://{yourOktaDomain}',
  httpRequestClient: function(method, url, args) {
    // args is in the form:
    // {
    //   headers: {
    //     headerName: headerValue
    //   },
    //   data: postBodyData,
    //   withCredentials: true|false,
    // }
    return Promise.resolve(/* a raw XMLHttpRequest response */);
  }
}

storageManager

The storageManager provides access to client storage for specific purposes. storageManager configuration is divided into named sections. The default configuration is shown below:

var config = {
  storageManager: {
    token: {
      storageTypes: [
        'localStorage',
        'sessionStorage',
        'cookie'
      ],
    },
    cache: {
      storageTypes: [
        'localStorage',
        'sessionStorage',
        'cookie'
      ]
    },
    transaction: {
      storageTypes: [
        'sessionStorage',
        'localStorage',
        'cookie'
      ]
    }
  }
}

Important: If neither localStorage nor sessionStorage are available, the default storage provider may fall back to using cookie storage on some clients, . If your site will always be served over a HTTPS connection, you may want to forcibly enable "secure" cookies. This option will prevent cookies from being stored on an HTTP connection.

var config = {
  cookies: {
    secure: true
  }
}

storageType

The following values for storageType are recognized:

• memory: values are stored in a closure and will not survive a page reload
• sessionStorage: will only be available to the current browser tab
• localStorage: available to all browser tabs
• cookie: available to all browser tabs, and server-side code

Note: If the specified storageType is not available, but matches an entry in storageTypes, then default fallback logic will be applied. To disable this behavior, set storageTypes to an empty array:

var config = {
  storageManager: {
    token: {
      storageType: 'sessionStorage',
      storageTypes: []
    }
  }
}

or set the storageTypes property with only one entry:

var config = {
  storageManager: {
    token: {
      storageTypes: ['sessionStorage']
    }
  }
}

If fallback logic is disabled, the storageManager may throw an exception if an instance of the given storageType cannot be created.

storageTypes

A list of storageTypes, in order of preference. If a type is not available, the next type in the list will be tried.

storageProvider

This option allows you to pass a custom storage provider instance. If a storageProvider is set, the storageType will be ignored.

Important: A storage provider will receive sensitive data, such as the user's raw tokens, as a readable string. Any custom storage provider should take care to save this string in a secure location which is not accessible to unauthorized users.

A storageProvider must provide a simple but specific API to access client storage. An example of a storageProvider is the built-in localStorage. It has a method called getItem that returns a string for a key and a method called setItem which accepts a string and key.

A custom storage provider must implement two functions:

• getItem(key)
• setItem(key, value)

Optionally, a storage provider can also implement a removeItem function. If removeItem is not implemented, values will be cleared but keys will persist.

const myMemoryStore = {};
const storageProvider = {
  getItem: function(key) {
    // custom get
    return myMemoryStore[key];
  },
  setItem: function(key, val) {
    // custom set
    myMemoryStore[key] = val;
  },
  // optional
  removeItem: function(key) {
    delete myMemoryStore[key];
  }
}

var config = {
  storageManager: {
    token: {
      storageProvider: storageProvider
    }
  }
}

tokenManager

If cookie storage is specified, it is possible to specify whether or not a session cookie is used by the cookie storage. This will automatically be configured if sessionStorage is specified and you fall back to cookie storage. If sessionCookie is not specified it will create a cookie with an expiry date of 2200-01-01T00:00:00.000Z

var config = {
  cookies: {
    sessionCookie: true
  }
}

autoRenew

:warning: Moved to TokenService. For backwards compatibility will set services.tokenService.autoRenew

expireEarlySeconds

:warning: DEV ONLY

To facilitate a more stable user experience, tokens are considered expired 30 seconds before actual expiration time. You can customize this value by setting the expireEarlySeconds option. The value should be large enough to account for network latency and clock drift between the client and Okta's servers.

NOTE expireEarlySeconds option is only allowed in the DEV environment (localhost). It will be reset to 30 seconds when running in environments other than DEV.

// Emit expired event 2 minutes before expiration
// Tokens accessed with tokenManager.get() will auto-renew within 2 minutes of expiration
tokenManager: {
  expireEarlySeconds: 120
}

autoRemove

:warning: Moved to TokenService. For backwards compatibility will set services.tokenService.autoRenew

syncStorage

:warning: Moved to SyncStorageService. For backwards compatibility will set services.syncStorageService.enable

storageKey

By default all tokens will be stored under the key okta-token-storage. You may want to change this if you have multiple apps running on a single domain which share the same storage type. Giving each app a unique storage key will prevent them from reading or writing each other's token values.

storage

Specify the storage type for tokens. This will override any value set for the token section in the storageManager configuration. By default, localStorage will be used. This will fall back to sessionStorage or cookie if the previous type is not available. You may pass an object or a string. If passing an object, it should meet the requirements of a custom storage provider. Pass a string to specify one of the built-in storage types:

• localStorage (default)
• sessionStorage
• cookie
• memory: a simple in-memory storage provider

var config = {
  url: 'https://{yourOktaDomain}',
  tokenManager: {
    storage: 'sessionStorage'
  }
};

var authClient = new OktaAuth(config);

A custom storage provider instance can also be passed here. (This will override any storageProvider value set under the token section of the storageManager configuration)

var myMemoryStore = {};
const storageProvider = {
  getItem: function(key) {
    // custom get
    return myMemoryStore[key];
  },
  setItem: function(key, val) {
    // custom set
    myMemoryStore[key] = val;
  },
  // optional
  removeItem: function(key) {
    delete myMemoryStore[key];
  }
}

const config = {
  url: 'https://{yourOktaDomain}',
  tokenManager: {
    storage: storageProvider
  }
};

const authClient = new OktaAuth(config);
const { tokens } = await authClient.token.getWithoutPrompt();
authClient.tokenManager.setTokens(tokens); // storageProvider.setItem

cookies

An object containing additional properties used when setting cookies

secure

Defaults to true, unless the application origin is http://localhost, in which case it is forced to false. If true, the SDK will set the "Secure" option on all cookies. When this option is true, an exception will be thrown if the application origin is not using the HTTPS protocol. Setting to false will allow setting cookies on an HTTP origin, but is not recommended for production applications.

sameSite

Defaults to none if the secure option is true, or lax if the secure option is false. Allows fine-grained control over the same-site cookie setting. A value of none allows embedding within an iframe. A value of lax will avoid being blocked by user "3rd party" cookie settings. A value of strict will block all cookies when redirecting from Okta and is not recommended.

clearPendingRemoveTokens

Defaults to true, set this option to false if you want to opt-out of the default clearing pendingRemove tokens behaviour when tokenManager.start() is called.

services

:gear: Requires a running service The following configurations require OktaAuth to be running as a service. See running service for more info.

Default configuration:

services: {
  autoRenew: true,
  autoRemove: true,
  syncStorage: true,
  renewOnTabActivation: true,
  tabInactivityDuration: 1800   // seconds
}

autoRenew

When true, the library will attempt to renew tokens before they expire. If you wish to manually control token renewal, set autoRenew to false to disable this feature. You can listen to expired events to know when the token has expired.

NOTE tokens are considered expired slightly before their actual expiration time. For more info, see expireEarlySeconds.

In version 6.X, the autoRenew configuration was set in config.tokenManager. To maintain backwards compatibility, this configuration is still respected but with a slight caveat. tokenManager.autoRenew configures 2 token auto renew strategies, active and passive.

• active - Network requests are made in the background in an attempt to refresh tokens before they are truly expired to maintain a seamless UX.

  :warning: this can cause an unintended side effect where the session never expires because it is constantly being refreshed (extended) before the actual expiration time

• passive - Token refresh attempts are only made when oktaAuth.isAuthenticated is called and the current tokens are determined to be expired.

When tokenManager.autoRenew is true both renew strategies are enabled. To disable the active strategy, set tokenManager.autoRenew to true and services.autoRenew to false. To disable both renew strategies set either tokenManager.autoRenew or services.autoRenew to false

autoRemove

By default, the library will attempt to remove expired tokens when autoRemove is true. If you wish to disable auto removal of tokens, set autoRemove to false.

syncStorage

Automatically syncs tokens across browser tabs when it's supported in browser (browser supports native broadcastchannel API, IndexDB or localStorage). To disable this behavior, set syncStorage to false.

This is accomplished by selecting a single tab to handle the network requests to refresh the tokens and broadcasting to the other tabs. This is done to avoid all tabs sending refresh requests simultaneously, which can cause rate limiting/throttling issues.

renewOnTabActivation

NOTE: This service requires autoRenew: true

When enabled ({ autoRenew: true, renewOnTabActivation: true }), this service binds a handler to the Page Visibility API which attempts a token renew (if needed) when the tab becomes active after a (configurable) inactivity period

tabInactivityDuration

The amount of time, in seconds, a tab needs to be inactive for the RenewOnTabActivation service to attempt a token renew. Defaults to 1800 (30 mins)

API Reference

• start
• stop
• signIn
• signInWithCredentials
• signInWithRedirect
• signOut
• closeSession
• revokeAccessToken
• revokeRefreshToken
• forgotPassword
• unlockAccount
• verifyRecoveryToken
• webfinger
• fingerprint
• isAuthenticated
• getUser
• getIdToken
• getAccessToken
• getOrRenewAccessToken
• storeTokensFromRedirect
• setOriginalUri
• getOriginalUri
• removeOriginalUri
• isLoginRedirect
• handleLoginRedirect
• handleRedirect
• setHeaders
• tx.resume
• tx.exists
• transaction.status
• getDPoPAuthorizationHeaders
• parseUseDPoPNonceError
• clearDPoPStorage
• session
  • session.setCookieAndRedirect
  • session.exists
  • session.get
  • session.refresh
• idx
• myaccount
• endpoints
  • endpoints.autorize.enrollAuthenticator
• token
  • token.getWithoutPrompt
  • token.getWithPopup
  • token.getWithIDPPopup
  • token.getWithRedirect
  • token.parseFromUrl
  • token.decode
  • token.renew
  • token.getUserInfo
  • token.verify
  • token.isLoginRedirect
  • token.prepareTokenParams
  • token.exchangeCodeForTokens
• tokenManager
  • tokenManager.add
  • tokenManager.get
  • tokenManager.getTokens
  • tokenManager.setTokens
  • tokenManager.remove
  • tokenManager.clear
  • tokenManager.renew
  • tokenManager.on
  • tokenManager.off
• authStateManager
  • authStateManager.getAuthState
  • authStateManager.updateAuthState
  • authStateManager.subscribe
  • authStateManager.unsubscribe
• http
  • http.setRequestHeader

start()

:hourglass: async

Starts the OktaAuth service. See running as a service for more details.

stop()

:hourglass: async

Stops the OktaAuth service. See running as a service for more details.

signIn(options)

:warning: Deprecated, this method will be removed in next major release, use signInWithCredentials instead.

signInWithCredentials(options)

See authn API.

signInWithRedirect(options)

:link: web browser only
:hourglass: async

Starts the full-page redirect to Okta with optional request parameters. In this flow, there is a originalUri parameter in options to track the route before the user signIn, and the addtional params are mapped to the Authorize options. You can use storeTokensFromRedirect to store tokens and getOriginalUri to clear the intermediate state (the originalUri) after successful authentication.

if (authClient.isLoginRedirect()) {
  try {
    await authClient.handleRedirect();
  } catch (e) {
    // log or display error details
  }
} else if (!await authClient.isAuthenticated()) {
  // Start the browser based oidc flow, then parse tokens from the redirect callback url
  authClient.signInWithRedirect();
} else {
  // User is authenticated
}

signOut()

:hourglass: async :link: web browser only

Signs the user out of their current Okta session and clears all tokens stored locally in the TokenManager. By default, the refresh token (if any) and access token are revoked so they can no longer be used. Some points to consider:

• Will redirect to an Okta-hosted page before returning to your app.
• If a postLogoutRedirectUri has not been specified or configured, window.location.origin will be used as the return URI. This URI must be listed in the Okta application's Login redirect URIs. If the URI is unknown or invalid the redirect will end on a 400 error page from Okta. This error will be visible to the user and cannot be handled by the app.
• Requires a valid ID token. If an ID token is not available, signOut will fallback to using the XHR-based closeSession method. This method may fail to sign the user out if 3rd-party cookies have been blocked by the browser.
• If a fallback to closeSession is used, signOut() returns a promise that resolves with the result of closeSession (true if an existing Okta session have been closed or false if a session does not exist or has already been closed). Otherwise a promise resolves with true.
• For more information, see Logout in the OIDC API documentation.

signOut takes the following options:

• postLogoutRedirectUri - Setting a value will override the postLogoutRedirectUri configured on the SDK. This will default to window.location.origin if no value is provided. To prevent this explicitly pass null to leverage the default behavior of /logout. If signOut falls back to closeSession window.location.origin will still be used as the default value, even if null is passed.
• state - An optional value, used along with postLogoutRedirectUri. If set, this value will be returned as a query parameter during the redirect to the postLogoutRedirectUri
• idToken - Specifies the ID token object. By default, signOut will look for a token object named idToken within the TokenManager. If you have stored the id token object in a different location, you should retrieve it first and then pass it here.
• clearTokensBeforeRedirect - If true (default: false) local tokens will be removed before the logout redirect happens. Otherwise a flag (pendingRemove) will be added to each local token instead of clearing them immediately. Calling oktaAuth.start() after logout redirect will clear local tokens if flags are found. Use this option with care: removing local tokens before fully terminating the Okta SSO session can result in logging back in again when using @okta/okta-react's SecureRoute component.
• revokeAccessToken - If false (default: true) the access token will not be revoked. Use this option with care: not revoking tokens may pose a security risk if tokens have been leaked outside the application.
• revokeRefreshToken - If false (default: true) the refresh token will not be revoked. Use this option with care: not revoking tokens may pose a security risk if tokens have been leaked outside the application. Revoking a refresh token will revoke any access tokens minted by it, even if revokeAccessToken is false.
• accessToken - Specifies the access token object. By default, signOut will look for a token object named accessToken within the TokenManager. If you have stored the access token object in a different location, you should retrieve it first and then pass it here. This options is ignored if the revokeAccessToken option is false.

// Sign out using the default options
authClient.signOut()

// Override the post logout URI for this call
authClient.signOut({
  postLogoutRedirectUri: `${window.location.origin}/logout/callback`
});

// In this case, the ID token is stored under the 'myIdToken' key
var idToken = await authClient.tokenManager.get('myIdToken');
authClient.signOut({
  idToken: idToken
});

// In this case, the access token is stored under the 'myAccessToken' key
var accessToken = await authClient.tokenManager.get('myAccessToken');
authClient.signOut({
  accessToken: accessToken
});

closeSession()

:warning: This method requires access to third party cookies
:hourglass: async

Signs the user out of their current Okta session and clears all tokens stored locally in the TokenManager. Returns a promise that resolves with true if an existing Okta session have been closed, or false if a session does not exist or has already been closed. This method is an XHR-based alternative to signOut, which will redirect to Okta before returning to your application. Here are some points to consider when using this method:

• Executes in the background. The user will see not any change to window.location.
• The method will fail to sign the user out if 3rd-party cookies are blocked by the browser.
• Does not revoke the access token. It is strongly recommended to call revokeAccessToken before calling this method
• It is recommended (but not required) for the app to call window.location.reload() after the XHR method completes to ensure your app is properly re-initialized in an unauthenticated state.
• For more information, see Close Current Session in the Session API documentation.

await authClient.revokeAccessToken(); // strongly recommended
authClient.closeSession()
  .then((sessionClosed) => {
    if (sessionClosed) {
      window.location.reload(); // optional
    } else {
      // Session does not exist or has already been closed
    }
  })
  .catch(e => {
    if (e.xhr && e.xhr.status === 429) {
      // Too many requests
    }
  })

revokeAccessToken(accessToken)

:hourglass: async

Revokes the access token for this application so it can no longer be used to authenticate API requests. The accessToken parameter is optional. By default, revokeAccessToken will look for a token object named accessToken within the TokenManager. If you have stored the access token object in a different location, you should retrieve it first and then pass it here. Returns a promise that resolves when the operation has completed. This method will succeed even if the access token has already been revoked or removed.

revokeRefreshToken(refreshToken)

:hourglass: async

Revokes the refresh token (if any) for this application so it can no longer be used to mint new tokens. The refreshToken parameter is optional. By default, revokeRefreshToken will look for a token object named refreshToken within the TokenManager. If you have stored the refresh token object in a different location, you should retrieve it first and then pass it here. Returns a promise that resolves when the operation has completed. This method will succeed even if the refresh token has already been revoked or removed.

forgotPassword(options)

See authn API.

unlockAccount(options)

See authn API.

verifyRecoveryToken(options)

See authn API.

webfinger(options)

:hourglass: async

Calls the Webfinger API and gets a response.

• resource - URI that identifies the entity whose information is sought, currently only acct scheme is supported (e.g acct:dade.murphy@example.com)
• rel - Optional parameter to request only a subset of the information that would otherwise be returned without the "rel" parameter

authClient.webfinger({
  resource: 'acct:john.joe@example.com',
  rel: 'okta:idp'
})
.then(function(res) {
  // use the webfinger response to select an idp
})
.catch(function(err) {
  console.error(err);
});

fingerprint(options)

:hourglass: async

Creates a browser fingerprint. See Primary authentication with device fingerprint for more information.

• timeout - Time in ms until the operation times out. Defaults to 15000.

authClient.fingerprint()
.then(function(fingerprint) {
  // Do something with the fingerprint
})
.catch(function(err) {
  console.log(err);
})

isAuthenticated(options?)

:hourglass: async

Resolves with authState.isAuthenticated from non-pending authState.

options

• expiredTokenBehavior: 'renew' (default) | 'remove' | 'none'
  • 'renew' - attempt to renew token before Promise resolves
  • 'remove' - removes token
  • 'none' - neither renews or removes expired token

NOTE: tokenManager.autoRenew and tokenManager.autoRemove determine the default value for expiredTokenBehavior

getUser()

:hourglass: async

Alias method of token.getUserInfo.

getIdToken()

Returns the id token string retrieved from authState if it exists.

getAccessToken()

Returns the access token string retrieved from authState if it exists.

getOrRenewAccessToken()

Returns the access token string if it exists. Returns null if the access token doesn't exist or a renewal cannot be completed

storeTokensFromRedirect()

:hourglass: async

Parses tokens from the redirect url and stores them.

setOriginalUri(uri?)

Stores the current URL state before a redirect occurs.

getOriginalUri(state?)

Returns the stored URI string stored by setOriginal. An OAuth state parameter is optional. If no value is passed for state, the URI is retrieved from isolated session storage and will work in a single browser. If a valid OAuth state is passed this method can return the URI stored from another browser tab.

removeOriginalUri()

Removes the stored URI string stored by setOriginal from storage.

isLoginRedirect()

:link: web browser only

Check window.location to verify if the app is in OAuth callback state or not. This function is synchronous and returns true or false.

if (authClient.isLoginRedirect()) {
  // callback flow
  try {
    await authClient.handleRedirect();
  } catch (e) {
    // log or display error details
  }
} else {
  // normal app flow
}

handleLoginRedirect(tokens?, originalUri?)

:link: web browser only
:hourglass: async
:warning: Deprecated, this method could be removed in next major release, use sdk.handleRedirect instead.

Stores passed in tokens or tokens from redirect url into storage, then redirect users back to the originalUri. When using PKCE authorization code flow, this method also exchanges authorization code for tokens. By default it calls window.location.replace for the redirection. The default behavior can be overrided by providing options.restoreOriginalUri. By default, originalUri will be retrieved from storage, but this can be overridden by passing a value fro originalUri to this function in the 2nd parameter.

Note: handleLoginRedirect throws OAuthError or AuthSdkError in case there are errors during token retrieval.

handleRedirect(originalUri?)

:link: web browser only
:hourglass: async

Handle a redirect to the configured redirectUri that happens on the end of login flow, enroll authenticator flow or on an error.
Stores tokens from redirect url into storage (for login flow), then redirect users back to the originalUri. When using PKCE authorization code flow, this method also exchanges authorization code for tokens. By default it calls window.location.replace for the redirection. The default behavior can be overrided by providing options.restoreOriginalUri. By default, originalUri will be retrieved from storage, but this can be overridden by specifying originalUri in the first parameter to this function.

Note: handleRedirect throws OAuthError or AuthSdkError in case there are errors during token retrieval or authenticator enrollment.

handleIDPPopupRedirect(url?)

:link: web browser only
:hourglass: async

Used in conjunction with token.getWithIDPPopup. Handles the redirect from the Authorization Server back to the web application. This method relays the resulting OAuth2 response from the popup window to the main window.

setHeaders()

Can set (or unset) request headers after construction.

const authClient = new OktaAuth({
  issuer: 'https://{yourOktaDomain}',

  // headers can be set during construction
  headers: {
    foo: 'bar'
  }
});

// Headers can be set (or modified) after construction
authClient.setHeaders({
  foo: 'baz'
});

// Headers can be removed
authClient.setHeaders({
  foo: undefined
})

tx.resume()

See authn API.

tx.exists()

See authn API.

transaction.status

See authn API.

getDPoPAuthorizationHeaders(params)

:link: web browser only
:hourglass: async

Requires dpop set to true. Returns Authorization and Dpop header values to build a DPoP protected-request.

Params: url and (http) method are required.

• accessToken is optional, but will be read from tokenStorage if not provided
• nonce is optional, may be provided via use_dpop_nonce pattern from Resource Server (more info)

parseUseDPoPNonceError(headers)

:link: web browser only

Utility to extract and parse the WWW-Authenticate and DPoP-Nonce headers from a network response from a DPoP-protected request. Should the response be in the following format, the nonce value will be returned. Otherwise returns null

HTTP/1.1 401 Unauthorized
WWW-Authenticate: DPoP error="use_dpop_nonce", \
   error_description="Resource server requires nonce in DPoP proof"
DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v

clearDPoPStorage(clearAll=false)

:link: web browser only
:hourglass: async

Clears storage location of CryptoKeyPairs generated and used by DPoP. Pass true to remove all key pairs as it's possible for orphaned key pairs to exist. If clearAll is false, the key pair bound to the current accessToken in tokenStorage will be removed.

It's recommended to call this function during user login. See Example

session

session.setCookieAndRedirect(sessionToken, redirectUri)

See authn API.

session.exists()

:link: web browser only
:warning: This method requires access to third party cookies
:hourglass: async

Returns a promise that reso

Changelog

7.12.1

Fixes

• #1585 fix: idx.poll now respects exchangeCodeForTokens and withCredentials options

7.12.0

Features

• #1573 feat: adds token.getWithIDPPopup() method

  • A Cross-Origin-Opener-Policy resilient method of acquiring tokens using via external IDPs.
  • See documentation for more detailed explanation

• #1584 feat: adds dpopOptions.allowBearerTokens configuration

7.11.3

Fixes

• #1583 fix: corrects @babel/runtime version

7.11.2

Fixes

• #1581 fix: bumps @babel/runtime version

7.11.1

Fixes

• #1572 fix: adds DPoP support to MyAccount API client

7.11.0

Features

• #1571 add: pollDelay option for OktaAuth contructor to fix polling issue in Mobile Safari 17.x and 18.x

7.10.1

Other

• #1562 chore: Remove ua-parser-js. Change isMobileSafari18 to isSafari18

7.10.0

Bug Fix

• #1552 fix: start poll request when document is visible and awaken in Mobile Safari 18.x

7.8.1

Bug Fix

• #1547 fix: replaces jsonpath-plus module
  • Address https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884

7.8.0

Features

• #1530 add: fingerprint API to IDX bundle

7.7.1

• #1529 fix: persist extraParams passed to /authorize and include them during token refresh

7.7.0

Features

• #1495 add: DPoP support

Fixes

• #1508 IDX: add condition to compare stateHandles when loading saved idxResponse only when useGenericRemediator option is false or undefined

7.6.0

Features

• #1507 add: new method getOrRenewAccessToken
• #1505 add: support of revokeSessions param for OktaPassword authenticator (can be used in reset-authenticator remediation)
• #1512 add: new service RenewOnTabActivation

Bug Fix

• #1513 fix: restricts issuer "-admin" validation to .okta domain

7.5.1

Bug Fix

• #1488 fix: type OktaAuthOptions now requires issuer
• #1482 fix: idToken claim validation now accepts aud array
  • Resolves #1481
• #1487 fix: Handle fetch exceptions

7.5.0

Bug Fix

• #1462 Fixes ESM build for Node.js
• #1472 Added missing remediator ReEnrollAuthenticatorWarning
• #1473 Resolves circular dependencies issue for ESM build

Other

• #1449 chore: bump broadcast-channel version to 5.3.0
• #1463 chore: Updates type definitions for HttpRequestClient and IdentifyValues

7.4.3

Bug Fix

• #1466 Fix: Issues with launch-authenticator rememdiation on safari

7.4.2

Bug Fix

• #1448 Fix: UA string in Node no longer continuously extends

7.4.1

Bug Fix

• #1446 Fix: prevents incorrectly removing idx message duplicates

7.4.0

Features

• #1440 Fixes type of tokenManager.getSync

• #1439 .signOut improvements

  • Passing postLogoutRedirectUri: null to .signOut now omits the param from /logout call and will observe the behavior of /logout
  • state is now returned as a query param to the postLogoutRedirectUri when .signOut falls back to .closeSession

• #1412

  • Adds oauth2 introspect method, exposed as authClient.token.introspect
  • Adds optional tokens param to renewTokens

Fixes

• #1421 Throw error if there is incorrect relatesTo in IDX response

Other

• #1409 Adds password page to React myaccount sample app
• #1422 IDX: add customLabel to Input type

7.3.1

Fixes

• #1426 fix: Don't auto remediate SelectAuthenticator with current authenticator

7.3.0

Features

• #1404 Adds react-native to package.json
• #1395 Changes resolve value of closeSession() and signOut() to boolean

Fixes

• #1398 Fixes race condition in LeaderElectionService start

7.2.0

Features

• #1333 Adds support for MyAccount API password methods
• #1324 Adds endpoints.authorize.enrollAuthenticator. Adds handleRedirect and deprecates handleLoginRedirect.

Fixes

• #1354 Fixes token auto renew if token has expired before AutoRenewService start
• #1359 IDX: removes statehandle check when load saved idxResponse

7.1.1

Fixes

• #1355 Adds missing type currentAuthenticatorEnrollment to IdxContext

7.1.0

Features

• #1343 Supports Step Up MFA against /authorize and /interact endpoints

Other

• #1342 - fixes possible RCE in jsonpath-plus

7.0.2

Fixes

• #1335 IDX: adds uiDisplay property to IdxContext type
• #1336 IDX: adds deviceKnown property to IdxAuthenticator type
• #1337 IDX: fixes account activation flow by removing check for identify remediation

7.0.1

Fixes

• #1319 IDX: fixes cancel request issue in terminal status

7.0.0

Breaking Changes

• #1181 Removes legacy PKCE/OAuth storage
• #1271 Removes options field from NextStep of IDX transaction
• #1274 Removes shouldProceedWithEmailAuthenticator option from idx module

6.9

• #1307 Adds nonce param to idx.interact (and idx.start)

6.8.1

Fixes

• #1305 Bumps version of broadcast-channel to 4.17, removing microtime sub dependency

6.8.0

Other

• #1243 Adds export of ./polyfill in package.json
• #1276 Support custom URL scheme in isAbsoluteUrl

6.7.7

• #1292 Fixes browser default entry issue from #1269
• #1286 Fixes embedded browser regression issue when localStorage is disabled

  6.7.6

Fixes

• #1277 IDX GenericRemediator patches (beta):
  • fixes error handling issue

6.7.5

Fixes

• #1269 Fixes ESM exports
  • Adds default export under ./browser to support `Jest@28.1+`
  • Adds work-around for webpack/webpack#13457 to support Module Federation (with ESM bundles)

6.7.4

Fixes

• #1263 (IDX) select-enrollment-channel remediation now accepts protocol defined inputs, as well as conveniences
• #1262 Freezes broadcast-channel version at 4.13.0, 4.14.0 requires node 14+ (This fix has been applied to 6.5.4 and up)

6.7.3

• #1264 IDX GenericRemediator patches (beta):
  • allows proceeding when options.step is available

6.7.2

Fixes

• #1251 IDX GenericRemediator patches (beta):
  • allows flow entry point requests

6.7.1

Fixes

• #1245 IDX GenericRemediator patches (beta):

  • disables client side validation
  • fixes ion response primitive types transformation issue
  • adds missing types to IdxAuthenticator
  • adds missing action meta to IdxTransaction.availableSteps

• #1247 - Fixes OV enrollment flow issue in authentication flow.

6.7.0

Features

• #1197
  • Changes implementation of SyncStorageService using broadcast-channel instead of using StorageEvent. Supports localStorage and cookie storage.
  • Adds LeaderElectionService as separate service
  • Fixes error Channel is closed while stopping leader election
• #1158 Adds MyAccount API. See MyAccount API DOC for detailed information.

6.6.3

• #1282 Backport 6.5.4, includes microtime fix #1280

6.6.2

Fixes

• #1231 IDX: exposes field level error messages
• #1234 IDX: passes unknown selected option to backend for validation when use GenericRemediator (beta)

6.6.1

Fixes

• #1221 Fixes ES module for Node.js by using latest broadcast-channel

6.6.0

Features

• #1225 oktaAuth.start/oktaAuth.stop now return a Promise, ensures services have started/stopped before resolving

Fixes

• #1226 Fixes idx terminal status response SDK level undefined error when use GenericRemediator (beta)
• #1222 Invalid (or expired) refresh tokens are now removed from storage when invalid token error occurs

6.5.4

• #1280 Locks version of broadcast-channel at 4.13.0 to prevent node minimum version regressions

6.5.3

• #1224 Fixes missing relatesTo type from NextStep

6.5.2

Fixes

• #1215 Fixes polling issue in GenericRemediator (beta)

6.5.1

Fixes

• #1200 Fixes canRemediate logic in GenericRemediator (beta) to handle nested fields
• 1207 Fixes canRemediate logic in GenericRemediator (beta) to handle options fields

Other

• #1200 Adds missing fields to Input type in idx module

6.5.0

Features

• #1186 Supports maxAge param in interaction code flow. This parameter can be passed in from either SDK level options or idx.interact options.
• #1189 IDX: includes options field in inputs scope, and deprecated top level options from nextStep field of the response (removal will happen in the next major version).

Fixes

• #1189 IDX: fixes input type indicator's field name for username and authenticator. Before the indicator was named as key, now it's fixed to type to follow input metadata with all other inputs.

  6.4.5

Fixes

• #1240 Fixes Apple SSO flow: includes stepUp on returned IdxTransaction

6.4.4

Fixes

• #1199 Fixes webauthn enrollment/verification to accept credentials object

6.4.3

Fixes

• #1182 Fixes security question verification to accept credentials.answer
• #1184 Fixes type declarations: ApiError, responseType, responseMode
• #1185 Fixes "cancel" and "skip" action called after receiving a terminal or error response

6.4.2

Fixes

• #1180 Fixes commonjs bundle dynamic import transpiling issue

6.4.1

Fixes

#1177 - fixes issue with repeated calls to oktaAuth.start()

6.4

Features

• #1161
  • IDX actions accept optional/additional parameters
  • requestDidSucceed is returned on IdxTransaction
  • adds IDX option shouldProceedWithEmailAuthenticator to disable email authenticator auto-selection

Fixes

• #1145

  • IDX: form field-level messages are now passed through via idxState
  • Type Fixes:
    • IdxContent: user property now optional
    • Input: added missing key property

• #1161

  • fixes for stateToken flow

Other

• #1145
  • refactor: IDX methods now use auth-js http client
  • refactor: idx-js methods have been refactored to idxState

6.3.2

Fixes

• #1169 Removes deleted file which was inadvertently added back in a merge

6.3.1

Fixes

• #1160
  • Fixes error handling for IDX actions
  • Fixes saved IDX transaction

6.3.0

Features

• #1090
  • An authenticator can be provided to IDX methods as either a string (representing the authenticator key) or an authenticator object
  • IDX functions will accept the "canonical" name for inputs (as defined by server response). For example a credentials object can be passed to satisfy an "identify" remediation instead of username and password
  • idx.proceed will continue without saved transaction meta if a stateHandle is available
  • Unknown remediations/values will proceed if the proper data is supplied by the caller
  • IDX response object has a new field requestDidSucceed which will be false if the XHR was returned with a non-2xx HTTP status

Fixes

• #1090
  • Fixes concurrency issue with transformAuthState. Concurrent auth state updates will now enqueue calls to transformAuthState so that they execute sequentially
  • Fixes issue with in-memory storage provider, where storage was shared between AuthJS instances in the same page/process. In-memory storage will now be unique per AuthJS instance.
  • Fixes issue with the step option in IDX flows: it will only be used for a single remediation cycle
• #1136 Fixes typo in security question enrollment

Other

• #1090 Removes runtime regenerator for development builds

6.2.0

Features

• #1113 Updates types for SigninWithCredentialsOptions and SignInOptions to support SP Initiated Auth
• #1125 IDX - Supports auto select methodType (when only one selection is available) for authenticator-verification-data remediation
• #1114 Exposes ESM node bundle

Fixes

• #1114 Fixes ESM browser bundle issue by only using ESM import syntax

Fixes

• #1130 state now stored in session during verifyEmail flow

Other

• #1124
  • Adds multi-tab "leadership" election to prevent all tabs from renewing tokens at the same time
  • Adds granular configurations for autoRenew (active vs passive)
  • Adds options to isAuthenticated to override client configuration
  • Fixes issue in token renew logic within isAuthenticated, tokens are now read from tokenManager (not memory) before expiration is checked

6.1.0

Features

• #1036 Adds webauthn authenticator support in idx module
• #1075 Adds top level invokeApiMethod method as an escape hatch to make arbitrary OKTA API request
• #1093 Allows passing device context headers (X-Forwarded-For, User-Agent, X-Okta-User-Agent-Extended and X-Device-Token) to idx.interact. Follow setHeaders section to add headers to http requests.

Fixes

• #1071 TypeScript: Adds fields for Input type in NextStep object
• #1094 TypeScript: Fixes SigninOptions.context type
• #1092 Call updateAuthState when handleLoginRedirect fails

Other

• #1073 Upgrades cross-fetch to resolve security vulnerability

6.0.0

Breaking Changes

• #1003 Supports generic UserClaims type. Custom claims should be extended by typescript generics, like UserClaims<{ groups: string[]; }>
• #1050 Removes userAgent field from oktaAuth instance
• #1014 Shared transaction storage is automatically cleared on success and error states. Storage is not cleared for "terminal" state which is neither success nor error.
• #1051 Removes useMultipleCookies from CookieStorage options
• #1059
  • Removes signOut option clearTokensAfterRedirect
  • Adds signOut option clearTokensBeforeRedirect (default: false) to remove local tokens before logout redirect happen
• #1057 Strict checks are now enabled in the Typescript compiler options. Some type signatures have been changed to match current behavior.
• #1062
  • Authn method introspect is renamed to introspectAuthn (still callable as tx.introspect)
  • IdxFeature enum is now defined as strings instead of numbers

Features

• #1014 Updates IDX API to support email verify and recovery/activation
  • adds new configuration options recoveryToken and activationToken
  • email verify callback:
    • adds support for passing otp to idx pipeline
    • updates samples to display error message with OTP code
  • idx methods support new options:
    • exchangeCodeForTokens. If false, interactionCode will be returned on the transaction at the end of the flow instead of tokens.
    • autoRemediate. If false, there will be no attempt to satisfy remediations even if values have been passed.
  • TransactionManager supports new option:
    • saveLastResponse. If false, IDX responses will not be cached.
• #1062
  • All IDX methods are exported.
  • useInteractionCodeFlow defaults to true for sample and test apps.

5.11.0

• #1064 Supports skip authenticator in idx authentication flow

5.10.1

Fixes

• #1054 Fixes Typescript build error

5.10.0

Features

• #1010 Supports clearPendingRemoveTokens option in signOut method. This option can be used to avoid cross tabs sign out issue with Okta's downstream client SDK's SecureRoute component
• #1035 Adds security question authenticator support in idx module

Fixes

• #1028 Any error caught in token.renew() will be emitted and contain tokenKey property
• #1027 Don't reject isAuthenticated() because of failed token renewal
• #1032 Fixes idx recover password flow with identifier first org policy
• #1048 Points browser field to UMD bundle

5.9.1

Other

• #1021 Removes type field in package.json. As okta-auth-js includes multiple bundles (cjs, esm, umd) in the package, explicit type field causes error for some type of bundlers. This change fixes issue with @angular/cli.

5.9.0

Features

• #1004 Allows extra query parameters to be added to the authorize url

Other

• #1000
  • Fixes broken ES module bundle
  • Updates browser field in package.json to enable bundlers to use the ES module bundle by default

Fixes

• #1005
  • Handles rememberMe boolean in IDX Identify remediation adapter
  • Typescript: Adds type field for Input type in NextStep object
• #1012 Fixes null access when crypto is not present

5.8.0

Features

• #990 Supports email verify callback

5.7.0

Features

• #983 Adds new method setHeaders
• #990 Supports email verify callback

Fixes

• #988 Fixes Safari & Firefox browsers block getWithPopup issue
• #995 Sends cookie for authn related requests
• #985 Fixes issue with renewTokens that would drop scopes passed to getToken

Other

• #981 TypeScript: Allows optional paramters for IDX methods
• #986 TypeScript: Interface SignInWithRedirectOptions should extend TokenParams
• #992 TypeScript: Adds fields for Input type in NextStep object
• #997 Validates scopes config param is an array

5.6.0

Features

• #963
  • Adds getPreviousAuthState method to AuthStateManager
  • Allows null type for authState related methods / fields
• #948 Adds Google Authenticator support in idx module

Other

• #947 TypeScript: Allow custom keys in AuthState interface

Bug Fixes

• #967 Throw error in parseFromUrl if can't load transaction meta

5.5.0

Features

• #933 Adds ignoreLifetime option to disable token lifetime validation
• #932 Adds headers with response headers to all responses

Bug Fixes

• #936 Fixes getting mutiple memory storages issue in browser environment

5.4.3

Bug Fixes

• #926 Fixes incorrect using of tokenManager config (options autoRenew, autoRemove) in OktaAuth.isAuthenticated.
• #931 Fixes types compatibility issue with old typescript versions (< 3.8)
• #930 Fixes incorrect error message in idx AuthTransaction when user is not assigned.

5.4.2

Bug Fixes

• #927 Not trigger authStateManager.updateAuthState during login redirect in start method.

5.4.1

• #916 Removes misleading warning message for TokenManager methods

5.4.0

Features

• #908 Enables dynamic attributes for profile enrollment
• #906
  • Checks idToken integrity during token auto renew process
  • Enables emitting renewed event for TokenManager.setTokens method
  • Exposes crypto util module

5.3.1

Bug Fixes

• #893 Fixes MFA keep returning MFA_REQUIRED status

5.3.0

Features

• #891 Adds new method http.setRequestHeader

Bug Fixes

• #852 Skips non-successful requests cacheing
• #883 Resolves state from token.parseFromUrl

Other

• #853 Updates token.parseFromUrl signature (adds optional parameter)

5.2.3

Bug Fixes

• #873 Fixes AuthStateManager emitting inconsistence isAuthenticated state during active token auto renew by only checking existence of both tokens from storage

5.2.2

• #862 Fixes issue with untranspiled class keyword
• #858 Fixes issue with verifying tokens when using a proxied issuer

5.2.1

• #845 Fixes issue with renewing using refresh tokens

5.2.0

Features

• #831 Calculates ID token expiry time based on local clock
• #832 Supports rotating refresh tokens
• #838 idx.recoverPassword - checks if flow is supported

Bug Fixes

• #832 Fixes issues with refresh tokens
• #839 Fixes @okta/okta-idx-js missing core-js dependency.
• #844 Fixes ES module includes SDK_VERSION placeholder issue

Other

• #839
  • Moves tsd from dependencies to devDependencies
  • Reduces bundles size by upgrading @okta/okta-idx-js to 0.18.0 (replaced jsonpath with jsonpath-plus)
  • Reduces bundles size by removing unnecessary license banner

5.1.1

Bug Fixes

• #808 Fixes CommonJS bundle missing crypto modules issue

5.1.0

Features

• #730 updateAuthState returns a Promise.
• Adds idx module. See details in IDX README.md

5.0.3

Bug Fixes

• #807 Fixes CommonJS bundle missing crypto modules issue

5.0.2

Bug Fixes

• #742 Fixes an issue where storage was being incorrectly cleared after an IDP redirect

5.0.1

Bug Fixes

• #731 Fixes issue with handleLoginRedirect where a redirect could occur after an exception was thrown.

4.9.2

Bug Fixes

• #742 Fixes an issue where storage was being incorrectly cleared after an IDP redirect

4.9.1

Bug Fixes

• #731 Fixes issue with handleLoginRedirect where a redirect could occur after an exception was thrown.

5.0.0

Features

• #694 Adds cookies.sessionCookie option

Breaking Changes

• #689 New methods start and stop are added to control OktaAuth as a service.
• #515 Removes token.value field
• #540 Locks tokenManager.expireEarlySeconds option with the default value (30s) for non-dev environment
• #677 Http requests will not send cookies by default
• #678 Default value for originalUri is null.
• #706 Removes isPending from AuthState

Other

• #675 Removes warning when calling updateAuthState when there are no subscribers
• #706 calling isAuthenticated will renew expired tokens when autoRenew is true

4.9.0

Bug Fixes

• #656 Fixes TokenManager.renew to renew only requested token

Features

• #656 Adds token.renewTokensWithRefresh

4.8.0

Features

• #652 Accepts 'state' as a constructor option

Bug Fixes

• #646 Fixes validate token using issuer from well-known config

Other

• #648 Updates widget to 5.4.2
• #653 Removes isLoginRedirect check in oidc logic
• #661 Upgrades node-cache to 5.1.2

4.7.2

Bug Fixes

• #638 Fixes an issue with revoking refresh tokens
• #632 Fixes an issue with renewing refresh tokens
• #616 Fixes issue with fetch on IE Edge versions 14-17.

4.7.1

Bug Fixes

• #627 Fixes an issue with Typescript and StorageManagerOptions

4.7.0

Features

• #620 Adds support for interaction_code and error=interaction_required on redirect callback
• #604 Adds new utility objects: storageManager and transactionManager

Bug Fixes

• #614 Fixes issue with renewTokens and implicit flow: get responseType value from SDK configuration

Other

• #594 Adds @babel/runtime to dependencies list.
• #572 Add idps options for Signin widget flow in samples
• #565 Adds support for widget version and interaction code to test app and samples

4.6.2

Bug Fixes

• #616 Fixes issue with fetch on IE Edge versions 14-17.

4.6.1

• #595 Ports fix for overeager catch when using refresh token originally from #579

4.6.0

Features

• #585 Uses native fetch, if available

Other

• #583 Better error handling for redirect flows: if redirect URI contains error or error_description then isLoginRedirect will return true and parseFromUrl will throw OAuthError

4.5.1

Bug Fixes

• #579 Removes overeager catch when using refresh token

4.5.0

Features

• #567 Adds new methods:
  • token.prepareTokenParams
  • token.exchangeCodeForTokens
  • pkce.generateVerifier
  • pkce.computeChallenge and constant:
  • pkce.DEFAULT_CODE_CHALLENGE_METHOD This API allows more control over the PKCE authorization flow and is enabled for both browser and nodeJS.

4.4.0

Features

• #554 Adds MFA types

4.3.0

Features

• #518 Added claims to AccessToken

4.2.0

Features

• Adding the ability to use refresh tokens with single page applications (SPA) (Early Access feature - reach out to our support team)
  • scopes configuration option now handles 'offline_access' as an option, which will use refresh tokens IF your client app is configured to do so in the Okta settings
    • If you already have tokens (from a separate instance of auth-js or the okta-signin-widget) those tokens must already include a refresh token and have the 'offline_access' scope
    • 'offline_access' is not requested by default. Anyone using the default scopes and wishing to add 'offline_access' should pass scopes: ['openid', 'email', 'offline_access'] to their constructor
  • renewTokens() will now use an XHR call to replace tokens if the app has a refresh token. This does not rely on "3rd party cookies"
    • The autoRenew option (defaults to true) already calls renewTokens() shortly before tokens expire. The autoRenew feature will now automatically make use of the refresh token if present
  • signOut() now revokes the refresh token (if present) by default, which in turn will revoke all tokens minted with that refresh token
    • The revoke calls by signOut() follow the existing revokeAccessToken parameter - when true (the default) any refreshToken will be also be revoked, and when false, any tokens are not explicitly revoked. This parameter name becomes slightly misleading (as it controls both access AND refresh token revocation) and will change in a future version.

4.1.2

Bug Fixes

• #541 Fixes type error in VerifyRecoveryTokenOptions

4.1.1

Bug Fixes

• #535 Respects scopes that are set in the constructor

4.1.0

Features

• #869
  • Implements AuthStateManager to evaluate and emit latest authState. Exposes new methods from AuthStateManager:
    • authStateManager.getAuthState
    • authStateManager.updateAuthState
    • authStateManager.subscribe
    • authStateManager.unsubscribe
  • Adds new methods in sdk browser scope:
    • sdk.signInWithCredentials
    • sdk.signInWithRedirect
    • sdk.isAuthenticated
    • sdk.getUser
    • sdk.getIdToken
    • sdk.getAccessToken
    • sdk.storeTokensFromRedirect
    • sdk.setOriginalUri
    • sdk.getOriginalUri
    • sdk.removeOriginalUri
    • sdk.isLoginRedirect
    • sdk.handleLoginRedirect
  • Deprecates method in sdk browser scope:
    • sdk.signIn
  • Adds new methods in sdk.tokenManager:
    • tokenManager.getTokens
    • tokenManager.setTokens
  • Accepts new options
    • transformAuthState
    • restoreOriginalUri
    • autoRemove
    • devMode
• #469 Adds "rate limiting" logic to token autoRenew process to prevent too many requests be sent out which may cause application rate limit issue.
• #503 Supports relative uri for options.redirectUri
• #478 Adds cross tabs communication to sync AuthState.
• #525 Adds new methods hasResponseType, isPKCE, isAuthorizationCodeFlow. The option responseType is now accepted in the constructor.

Bug Fixes

• #468 Fixes issue where HTTP headers with an undefined value were being sent with the value "undefined". These headers are now removed before the request is sent.
• #514 Fixes OAuth redirect params issue in legacy browsers.

4.0.3

Bug Fixes

• #468 Fixes issue where HTTP headers with an undefined value were being sent with the value "undefined". These headers are now removed before the request is sent.
• #514 Fixes OAuth redirect params issue in legacy browsers.
• #520 token.isLoginRedirect will check that current URL matches the redirectUri

4.0.2

• #491 Fixes issue with OAuth param cookie when using self-hosted signin widget

• #489 Fixes sameSite cookie setting when running on HTTP connection

4.0.1

Bug Fixes

• #473 Fixes login issue when cookies are blocked or used as shared state storage

4.0.0

Features

• #413 Adds support for Typescript. Uses named exports instead of default export.
• #444 New method tokenManager.hasExpired to test if a token is expired

Breaking Changes

• #444
  • Implements "active" autoRenew. Previously tokens would be renewed or removed when calling tokenManager.get. Now they will be renewed or removed in the background. If autoRenew is true, tokens will be renewed before expiration. If autoRenew is false, tokens will be removed from storage on expiration.
  • onSessionExpired option has been removed. TokenManager events can be used to detect and handle token renewal errors.
  • tokenManager.get no longer implements autoRenew functionality (autoRenew is done by a separate process within TokenManager). Even with autoRenew, it is possible that the token returned from the TokenManager may be expired, since renewal is an asynchronous process. New method tokenManager.hasExpired can be used to test the token and avoid this potential race condition.

3.2.6

• #522 Fixes token.isLoginRedirect issue with code query params in url
• #517 Fixes OAuth redirect params issue in legacy browsers

3.2.5

• #491 Fixes issue with OAuth param cookie when using self-hosted signin widget

• #489 Fixes sameSite cookie setting when running on HTTP connection

3.2.4

Bug Fixes

• #473 Fixes login issue when cookies are blocked or used as shared state storage

3.2.3

Bug Fixes

• #440 Fixes signOut XHR fallback to reload page only if postLogoutRedirectUri matches the current URI
• #445 Clears access token from storage after token revocation

3.2.2

Bug Fixes

• #422 Fixes revoke accessToken in signOut method
• #441 Fixes issue involving an "invalid grant" error: "PKCE verification failed."

3.2.1

Bug Fixes

• #431 Skips non parsable iframe messages for sdk.fingerprint

3.2.0

Features

-#408 Provides a polyfill for IE 11+

-#410 Add token.isLoginRedirect function to prevent app from starting new Oauth flow while already in OAuth callback state.

3.1.4

Bug Fixes

• #400 Allows an accessToken to be retrieved without an idToken. Also allows retrieving "default" scopes as defined by the custom authorization server.

• #402 Fixes tokenManager cookie storage size limitation issue by store tokens in separated cookies.

3.1.3

Bug Fixes

• #395 Prevents concurrent use of token API methods such as getWithoutPrompt, getWithRedirect or getWithPopup within a single running instance. These methods will be executed within a queue to ensure that they complete sequentially. This fix only affects a single instance. If there are several instances running (for example, in multiple tabs) it is still possible for token API methods to be executing concurrently.

• #399 Fixes an error involving PKCE flow and the signin widget.

3.1.2

• #384 Shifts browser storage for ephemeral PKCE code challenge to default to sessionStorage before localStorage or cookies.
  • This should reduce problems with multiple tabs making overlapping requests to renew tokens.
• #386 Fixes token.verify: validationParams should be optional.

3.1.1

Bug Fixes

• #369

  • Will reject with error if PKCE is enabled but not supported when OIDC flow is initiated. Previously this check was done in the constructor and affected non-OIDC flows

  • Will print a console warning and disable secure cookies if cookies.secure is enabled on an HTTP connection. Previously this would throw in the constructor.

3.1.0

Features

• #363
  • Expose server bundle for React Native platform as an Authentication SDK.
  • Handle userAgent customization with newly added userAgent field in config.

3.0.1

Bug Fixes

• #354 - Omit cookies from API requests. Removes warning messages in latest version of Chrome.

• #355 - Fix for authorization_code flow for non-SPA applications (when responseType=code and pkce=false). The code can be retrieved client-side using parseFromUrl() without throwing an error.

3.0.0

Features

New option cookies allows overriding default secure and sameSite values.

Breaking Changes

• #308 - Removed jquery and reqwest httpRequesters

• #309 - Removed Q library, now using standard Promise. IE11 will require a polyfill for the Promise object. Use of Promise.prototype.finally requires Node > 10.3 for server-side use.

• #310 - New behavior for signOut()

  • postLogoutRedirectUri will default to window.location.origin
  • signOut() will revoke access token and perform redirect by default. Fallback to XHR closeSession() if no idToken.
  • New method closeSession() for XHR signout without redirect or reload.
  • New method revokeAccessToken()

• #311 - parseFromUrl() now returns tokens in an object hash (instead of array). The state parameter (passed to authorize request) is also returned.

• #313 - An HTTPS origin will be enforced unless running on http://localhost or cookies.secure is set to false

• #316 - Option issuer is required. Option url has been deprecated and is no longer used.

• #317 - pkce option is now true by default. grantType option is removed.

• #320 - getWithRedirect, getWithPopup, and getWithoutPrompt previously took 2 sets of option objects as parameters, a set of "oauthOptions" and additional options. These methods now take a single options object which can hold all available options. Passing a second options object will cause an exception to be thrown.

• #321

  • Default responseType when using implicit flow is now ['token', 'id_token'].
  • When both access token and id token are returned, the id token's at_hash claim will be validated against the access token

• #325 - Previously, the default responseMode for PKCE was "fragment". It is now "query". Unless explicitly specified using the responseMode option, the response_mode parameter is no longer passed by token.getWithRedirect to the /authorize endpoint. The response_mode will be set by the backend according to the OpenID specification. Implicit flow will use "fragment" and PKCE will use "query". If previous behavior is desired, PKCE can set the responseMode option to "fragment".

• #329 - Fix internal fetch implementation. responseText will always be a string, regardless of headers or response type. If a JSON object was returned, the object will be returned as responseJSON and responseType will be set to "json". Invalid/malformed JSON server response will no longer throw a raw TypeError but will return a well structured error response which includes the status code returned from the server.

Other

• #306 - Now using babel for ES5 compatibility. All polyfills have been removed.

• #312 - Added an E2E test for server-side authentication (node module, not webpack).

2.13.2

Bug Fixes

-#338 - (Fix for Chrome 80) Setting 'Secure' on cookies if running on HTTPS. Setting 'SameSite=Lax' on cookies if running on HTTP. TokenManager (if using cookie storage) will retain previous behavior, setting 'SameSite=Lax' in all cases unless tokenManager.secure is set to true via config.

2.13.1

Bug Fixes

• #334 - Setting 'SameSite=none' for all cookies (Fix for iFrame)

2.13.0

Features

• #324 - Support responseMode: "query" option for SPA apps using PKCE flow

2.12.1

Bug Fixes

• #315getWellKnown was using base url over issuer. Method has been fixed to use issuer, if configured, and will fallback to base url
• #319 - Setting 'SameSite=lax' for all cookies (Fix for Firefox/Safari)

2.12.0

Features

• #304 - Will set a 'SameSite' value on all cookies set by this SDK
  • Cookies intended for server-side use will be set to 'Lax', cookies intended for client-side use will be set to 'Strict'

2.11.2

Features

• #271 - New option onSessionExpired

2.11.1

Other

• #293 - Copy markdown files to package directory during publish

2.11.0

Features

• #288 - New options for signOut:
  • Can provide a post-logout redirect URI.
  • Can revoke access token

Bug Fixes

• #288 - calling signOut will clear the TokenManager.
• #284 - isPKCESupported will return false if TextEncoder is not available (IE Edge).

Other

• #284 - better error messages when attempting to use PKCE in an unsupported browser configuration.

2.10.1

Other

• Fixes incorrect npm publish of previous version

2.10.0

Features

• #266 - New storage options for TokenManager

Bug Fixes

• #265 - Fix for popup blockers

Other

• #256 - Adds E2E tests, updates test app
• #249 - Convert to yarn workspace
• #264 - Removed lib/config.js, replaced with lib/constants.js and webpack define

2.9.0

Features

• add5369 Add support to pass callback to poll function

Bug Fixes

• 541683 Origin mismatch will now cause promise rejection (token renew)
• d9900a TokenManager: return existing promise for concurrent requests
• 77ece4 Clear token on 'AuthSdkError'

2.7.0

Features

• (#238) - Adds pass-thru of optional 'loginHint' and 'idpScopes' params (resolves issue #214)

2.6.3

Other

• (#235) - Option grantType has been deprecated and will be removed in 3.0

2.6.2

Features

• (#233) - New option pkce

Bug Fixes

• (#233) The default responseMode was incorrectly set to fragment instead of query when the responseType was code. This regression was introduced in version 2.6.0.

• 747216b fix build process, so that /dist/okta-auth-js.min.js is for browsers (since version 2.2.0, dist/ output was being built for node.js applications, which was not intended)

2.6.1

Features

• d8d2fee TokenManager: new option expireEarlySeconds

Bug Fixes

• TokenManager: Re-enables use of custom storage keys

Other

• TokenManager: Document the maxClockSkew option

2.6.0

Features

• 0a8a4e1 PKCE support

Bug Fixes

• TokenManager: tokens were being expired 5 minutes early

2.5.0

Features

• d736cc9 - New TokenManager option to support HTTPS-only "secure" cookies.

Other

• fddec0a - Use fetch as the default request agent (instead of reqwest).

2.3.1

Bug Fixes

• #187 - When deprecated ajaxRequest was passed to config, the logger for the deprecate message was still using window.console. This fix makes the logger isomorphic.

2.3.0

Features

• #184 - Adds support for calling the AuthN API from Node

2.2.0

Bug Fixes

• #178 - Resolves an issue introduced with #171 causing the silent login flow to throw errors

2.1.0

Bug Fixes

• #172 - Fixes an issue where default storage was read-only
• #161 - ignoreSignature was not set when redirecting

Other

• #171 - Scrub null/undefined values from authorize requests
• #162 - Update dependencies

2.0.1

Bug Fixes

• Fixed an problem, introduced in 2.0.0, that was causing tokens to be refreshed every time authClient.tokenManager.get('accessToken') was called.

2.0.0

Breaking Changes

• Token retrieval is now asyncronous to account for automatic token renewal.

  // ES2016+
  const accessToken = await authClient.tokenManager.get('accessToken');
  
  // Handle as a promise
  authClient.tokenManager.get('accessToken')
  .then(function(accessToken) {
    console.log(accessToken);
  });

• Removed the following deprecated methods:

  • idToken.authorize
  • idToken.verify
  • idToken.refresh
  • idToken.decode

Features

• Clears whitespace around URLs when instantiating the client.
• Infer the url from the issuer to simplify client setup.

Other

• Renames all refresh methods on the token and tokenManager objects to renew.