CHANGELOG.md

Change Log

v9.0.0-beta.3 (2017-10-26)

Full Changelog

Change Log

• Changing popup.loginWithCredentials to work with Cross Origin Authentication and web_message flows. #528

v9.0.0-beta.2 (2017-10-19)

Full Changelog

Change Log

• Better handling errors in checkSession. #524

v9.0.0-beta.1 (2017-10-19)

Full Changelog

Change Log

• Removes a few legacy endpoints and deprecates auth0.client.loginWithCredentials, which is now calling the co/authenticate method instead of usernamepassword/login. #521

v8.10.1 (2017-09-19)

Full Changelog

Changed

• Removing renewSession and keeping only checkSession #505 (luisrudge)

Change Log

v8.10.0 (2017-09-18)

Full Changelog

Added

• Adding web_message flow #500 (luisrudge)

Fixed

• Fixing tenant override in popup mode #501 (luisrudge)
• Allow overriding the timeout as part of the renewAuth method #497 (dctoon)

Change Log

v8.9.3 (2017-08-21)

Full Changelog

Fixed

• Using transaction manager on passwordlessStart #492 (luisrudge)

Change Log

v8.9.2 (2017-08-17)

Full Changelog

Fixed

• Fix passwordlessVerify not sending nonce #489 (luisrudge)

Change Log

v8.9.1 (2017-08-11)

Full Changelog

Fixed

• Fixed credentialType url #487 (luisrudge)

Change Log

v8.9.0 (2017-08-10)

Full Changelog

Added

• Add flag to retry requests #484 (luisrudge)
• Add cross-origin-auth support to Passwordless #482 (luisrudge)

Changed

• Avoid snake casing of metadata on signup #475 (hzalaz)

Fixed

• Send empty verifier when can't access sessionStorage #470 (luisrudge)

Change Log

v8.8.0 (2017-06-20)

Full Changelog

Changed

• Update idtoken-verifier #458 (hzalaz)

Fixed

• Fix passwordless inside hosted login page #459 (hzalaz)

v8.7.0 (2017-05-24)

Full Changelog

Added

• Adding scope to the parsed hash object #434 (luisrudge)
• Add option to filter iframe events to prevent incorrect events triggering callbacks #432 (aaronchilcott)
• Adding cross-origin-auth sessionless flow #431 (luisrudge)
• Adding new LoginTicket flow (with session) #426 (hzalaz)

Changed

• Sending all /co/authenticate errors to the error callback #443 (luisrudge)
• Fix some examples and docs + using https everywhere #436 (luisrudge)

Fixed

• Add login_ticket to params whitelist #442 (luisrudge)
• Fix decoding base64 string with special characters #440 (luisrudge)
• Fixed issues with overrides not being used #430 (sandrinodimattia)

Change Log

v8.6.1 (2017-05-08)

Full Changelog

Fixed

• Fix postMessage handler to handle parsed objects as well #420 (luisrudge)

v8.6.0 (2017-04-24)

Full Changelog

Fixed

• Fixed nonce checking on renewAuth method #413 (luisrudge)
• Fixed 'qs' dependency #401 (maxpaj)

v8.5.0 (2017-03-27)

Full Changelog

Changed

• Improve jsdocs #393 (hzalaz)

Fixed

• Fixing error handling for when the error comes as a successful response from WinChan #395 (luisrudge)
• Correct spelling mistake in web-auth JSDoc resulting in incorrect autocomplete suggestions #388 (Geeman201)

v8.4.0 (2017-03-13)

Full Changelog Closed issues

• winchanOptions missing parameters #378
• 'Nonce does not match' error when state data contains '=' encoded as %3D #377

Added

• Added possibility to specify custom popup size #379 (artemtool)

Changed

• Whitelist resource owner parameters #386 (hzalaz)
• Only allow to be used in node 6.9 or later #385 (hzalaz)
• Restrict what popupOptions fields are used #383 (hzalaz)
• Replace querystring implementation with qs module #382 (selaux)
• Deprecation warning: webauth.login → webauth.authorize #367 (dtinth)

Fixed

• Pass to popup the needed params for auth #381 (hzalaz)

v8.3.0 (2017-03-01)

Full Changelog

Added

• Integration tests #346 (glena)
• Whitelist nonce, state, _csrf and _instate from constructor #345 (glena)
• Added flag to disable id_token verification for legacy clients #341 (glena)
• Popup no owp #337 (glena)

Changed

• Remove warnings around refreshing session #353 (hzalaz)
• Updated passwordless start jsdocs #340 (glena)

Fixed

• Only parse cordova callback hash #370 (hzalaz)

v8.2.0 (2017-01-30)

Full Changelog

Added

• Plugins support + cordova plugin #333 (glena)

Fixed

• popup.authorize should not require redirectURI when using OWP #336 (glena)

v8.1.3 (2017-01-23)

Full Changelog

Fixed

• Fix case convertion of null values #329 (glena)

v8.1.2 (2017-01-19)

Full Changelog

Fixed

• Fixed params whitelist for authorize endpoint #324 (glena)

v8.1.1 (2017-01-17)

Full Changelog

Changed

• Removed state requirement #321 (glena)

Removed

• Revert "Fallback to math.random if there is no crypto support" #320 (glena)

Fixed

• Fix undefined variable #319 (glena)

v8.1.0 (2017-01-17)

Full Changelog

Added

• Fallback to math.random if there is no crypto support #316 (glena)

Fixed

• Fix passwordless #315 (glena)
• Passwordless start: map params to authParams and fix tests #306 (glena)
• Fix transaction usage to delete what is stored in local storage #298 (glena)

Breaking changes

• Do not change casing of the user profile object #307 (glena)

v8.0.4 (2017-01-06)

Full Changelog

Fixed

• Fix undefined valud in for #295 (glena)

v8.0.3 (2017-01-06)

Full Changelog

Added

• Add the option to provide a leeway #292 (glena)

v8.0.2 (2017-01-05)

Full Changelog

Fixed

• Polyfill functions #285 (glena)

v8.0.1 (2017-01-04)

Full Changelog

Fixed

• Fix getSSOData failing due to extra headers #284 (glena)

v8.0.0 (2017-01-03)

Full Changelog

In v8 auth0.js is divided in three different components:

• WebAuth: Handles all AuthN/AuthZ flows with redirect/popup inside the browser and related Auth API endpoints, e.g. /logout.
• AuthenticationAPI: Helper methods for calling Auth0 Authentication API
• ManagementAPI: Helper methods for calling Auth0 Management API

To get started you can just create a WebAuth instance like this

var auth0 = new auth0.WebAuth({
  domain: "{YOUR_AUTH0_DOMAIN}",
  clientID: "{YOUR_AUTH0_CLIENT_ID}"
});

Since auth0.js is intended to be used in javascript clients running in the browser most of the times an instance of WebAuth is needed.

And if you ever need to perform an xhr request to Auth0 Authentication API, WebAuth exposes an instance of AuthenticationAPI

auth0.client.userInfo(accessToken, function(error, userInfo) {
    // User information or error
  });

Added

• add token validation and signature verification to the parseHash method #278 (glena)
• Add method to signup and login using password-realm #277 (glena)

Breaking changes

• Rename methods based on authN and authZ type #280 (glena)

v8.0.0-beta.3 (2016-12-19)

Full Changelog

Fixed

• special handling for popup error responses #276 (glena)

v8.0.0-beta.2 (2016-12-16)

Full Changelog

Added

• Cookie fallback for storage #270 (glena)

Fixed

• Return policy attr in errors + responseType validation #273 (glena)

v8.0.0-beta.1 (2016-12-14)

Full Changelog

Added

• Add get user country method for passwordless #267 (glena)
• Login with password realm grant via /oauth/token #265 (glena)

Changed

• Add standard fields to parseHash and normalize responses to camelCase #261 (glena)
• Add Whitelist of authorize parameters #258 (glena)

Fixed

• Send cookies on CORS call #259 (glena)

v8.0.0-alpha.2 (2016-12-05)

Full Changelog

Closed issues

• redirectUri should not be mandatory in the constructor #249
• responseMode should be part of the constructor params #247
• Check if all the methods accepts the same parames from constructor #246

Added

• Preload window for popup signup and login #256 (glena)
• Quirks mode and deprecations warning #255 (glena)
• Added responseMode, all methods uses the same params from construct, redirectUri is not mandatory #253 (glena)
• Added sso data client #251 (glena)
• V8 Popup mode #245 (glena)
• Added nonce and status to mitigate replay attacks #244 (glena)

Changed

• Fix nonce mismatch check #254 (glena)

v8.0.0-alpha.1 (2016-11-21)

Full Changelog

Added

• Change webauth structure + Allow to abort requests #240 (glena)
• added extra options + snake to camel all the options #236 (glena)
• V8: Signup and passwordless #232 (glena)
• Webauth redirect login/callback #231 (glena)