v1.7.0
Highlights
This release introduces a number of new features; two of these are detailed below:
Rotating Refresh Tokens
This feature adds support for rotating Refresh Tokens, which can be used to mitigate the effects of modern browser privacy tools, such as Safari's ITP technology. Refresh tokens do not depend on the user's session cookie and thus are unaffected by third-party cookie blocking.
To turn on the use of Refresh Tokens in the SDK, use the useRefreshTokens
option when configuring the SDK client:
await createAuth0Client({
domain: '<YOUR AUTH0 DOMAIN>',
client_id: '<YOUR AUTH0 CLIENT ID>',
useRefreshTokens: true // the default is 'false'
})
Local Storage
From this release, you will be able to opt-in to using local storage to store the tokens that are returned from the authorization server. The default is to use the in-memory cache.
Note: Enabling local storage changes the security characteristics of your application; please read and understand the implications of enabling use of local storage to store tokens.
To do this, configure the cacheLocation
to localstorage
when configuring the SDK client:
await createAuth0Client({
domain: '<YOUR AUTH0 DOMAIN>',
client_id: '<YOUR AUTH0 CLIENT ID>',
cacheLocation: 'localstorage'
})
The full changelog is below.
Added
- Support for rotating refresh tokens #315 (stevehobbsdev)
- Export types from global TypeScript file. #310 (maxswa)
- Local Storage caching mechanism #303 (stevehobbsdev)
Changed
- Use Web Workers for token endpoint call for in-memory storage #409 (adamjmcgrath)
- Export constructor #385 (adamjmcgrath)
- Fall back to iframe method if no refresh token is available #364 (stevehobbsdev)
- Removed setTimeout cache removal in favour of removal-on-read #354 (stevehobbsdev)
- Stop checking
isAuthenticated
cookie on initialization when using local storage #352 (stevehobbsdev) - getTokenSilently retry logic #336 (stevehobbsdev)
- Fixed issue with cache not retaining refresh token #333 (stevehobbsdev)
Fixed
- Check if source of event exists before closing it #410 (gerritdeperrit)
- Check if iframe is still in body before removing #399 (paulfalgout)
- Fix typings to allow custom claims in ID token #386 (picosam)
- Fix error in library type definitions #367 (devoto13)
Security
- Dependency upgrade #405 (stevehobbsdev)