Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SDK-1179] Support for rotating refresh tokens #315

Merged
merged 15 commits into from
Jan 8, 2020

Conversation

stevehobbsdev
Copy link
Contributor

Description

This PR adds support for rotating refresh tokens. Some highlights:

  • A new option on createAuth0Client called useRefreshTokens has been implemented and set to false by default. When this is true, the SDK will attempt to call the /token endpoint using the refresh_token grant type along with a refresh token from the cache.
  • When useRefreshTokens is false, the existing code path that attempts to retrieve a new access token using a hidden iframe and prompt=none remains.

Note: This PR does not yet implement a retry mechanism for when there is a network error when trying to retrieve a new access token.

Note 2: This PR builds upon https://github.com/auth0/auth0-spa-js/tree/feature/storage. The two PRs will likely go in together and will be merged into https://github.com/auth0/auth0-spa-js/tree/release/rtr

Testing

For manual testing, the playground as enhanced by feature/storage has been extended to support toggling the use of refresh tokens. This helps when visualizing the network traffic so you can see what network requests are being made. Clone, npm install then npm start to run the playground on http://localhost:3000. To make use of the RTR feature, your Auth0 tenant must have the feature flag enabled, and RTR turned on for a specific client using a call to API 2.

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

@stevehobbsdev stevehobbsdev added CH: Added PR is adding feature or functionality review:medium labels Dec 18, 2019
@stevehobbsdev stevehobbsdev requested a review from a team December 18, 2019 17:25
Copy link
Contributor

@joshcanhelp joshcanhelp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great so far! Nothing show-stopping but a few places for discussion.

options: GetTokenSilentlyOptions
): Promise<any> {
const stateIn = encodeState(createRandomString());
const nonceIn = createRandomString();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why encode state but not nonce?

Copy link
Contributor

@joshcanhelp joshcanhelp Jan 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why encode state but not nonce?

@stevehobbsdev 👆

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also ... why are we even doing anything with state here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is part of the functionality that gets a new token using an iframe. The state and nonce values are passed through the /authorize URL. Even though we're using prompt=none, I assume we'd still have to pass state and nonce through?

As for why nonce is not encoded, I'm not sure. This is code that existed before the RT work so I don't have the background on that decision. Looking at it, it uses the same function createRandomString that's used to generate the state so it would make sense that nonce is also encoded. Let me look into changing that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nonce is now encoded wherever it is used.


const tokenResult = await oauthToken({
baseUrl: this.domainUrl,
audience: options.audience || this.options.audience,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't believe this is necessary or validated at all. The auth code is tied to the initial request.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like you're right, the parameter isn't listed on the Auth0 API docs either. To be honest it's leftover from when the SDK was initially implemented.

I've removed the specification of audience on the oauthToken calls now.

src/Auth0Client.ts Show resolved Hide resolved
client_id: this.options.client_id,
grant_type: 'refresh_token',
refresh_token: cache.refresh_token
} as RefreshTokenOptions);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why OAuthTokenOptions and RefreshTokenOptions? I know the former already existed but seems OK to deprecated or just stop using.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These have actually been refactored into a hierarchy. So, OAuthTokenOptions did exist previously but had all of the options on it. I've changed it so that both OAuthTokenOptions and RefreshTokenOptions both inherit from TokenEndpointOptions, which has all the common stuff on it.

Then, OAuthTokenOptions has all the stuff that's relevant for calling the token endpoint for the authorization_code grant (code verifier, etc) and RefreshTokenOptions has the refresh_token option available.

Make sense? I'm not married to the names but I think the hierarchy works.

Copy link
Contributor

@joshcanhelp joshcanhelp Jan 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hierarchy makes sense, I'm talking more about the names here. We're doing OAuth either way, getting tokens either way. Seems like IframeTokenOptions would make more sense to match the method.

Not blocking 😃

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get you. I'd like to rename this to PCKETokenOptions or something more applicable to using the authorization_code grant (which is when this type is used). I'm going to do that in a separate PR though, I want to do some more investigation as to whether that would be a breaking change or not.

src/Auth0Client.ts Show resolved Hide resolved
src/global.ts Outdated
@@ -96,6 +96,12 @@ interface Auth0ClientOptions extends BaseLoginOptions {
* The default setting is `memory`.
*/
cacheStrategy?: 'memory' | 'localstorage';

/**
* If true, refresh tokens are used to fetch new access tokens from the Auth0 server.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe explain the false case here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added an explanation for false.

src/global.ts Show resolved Hide resolved
src/index.ts Outdated

export default async function createAuth0Client(options: Auth0ClientOptions) {
validateCrypto();

if (options.useRefreshTokens) {
options.scope = options.scope
? getUniqueScopes(options.scope, 'offline_access')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this util just handle undefined?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, in fact it already does. I've simplified its usage here as a result and updated some tests.

@stevehobbsdev stevehobbsdev changed the base branch from feature/storage to release/rtr January 6, 2020 15:41
Copy link
Contributor

@joshcanhelp joshcanhelp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few more potentially small things.

await getJSON(`${baseUrl}/oauth/token`, {
method: 'POST',
body: JSON.stringify({
grant_type: 'authorization_code',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this breaking? Should keep authorization_code as the default?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's an internal method and I've made sure to configure everything that calls it with the correct grant type.

options: GetTokenSilentlyOptions
): Promise<any> {
const stateIn = encodeState(createRandomString());
const nonceIn = createRandomString();
Copy link
Contributor

@joshcanhelp joshcanhelp Jan 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why encode state but not nonce?

@stevehobbsdev 👆

options: GetTokenSilentlyOptions
): Promise<any> {
const stateIn = encodeState(createRandomString());
const nonceIn = createRandomString();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also ... why are we even doing anything with state here?

client_id: this.options.client_id,
grant_type: 'refresh_token',
refresh_token: cache.refresh_token
} as RefreshTokenOptions);
Copy link
Contributor

@joshcanhelp joshcanhelp Jan 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hierarchy makes sense, I'm talking more about the names here. We're doing OAuth either way, getting tokens either way. Seems like IframeTokenOptions would make more sense to match the method.

Not blocking 😃

@stevehobbsdev stevehobbsdev merged commit 5ece8d2 into release/rtr Jan 8, 2020
@stevehobbsdev stevehobbsdev deleted the feature/rtr branch January 8, 2020 17:07
stevehobbsdev pushed a commit that referenced this pull request Jan 26, 2020
* Refactored getting token using iframe into its own method

* Implemented getTokenUsingRefreshToken

* Fixed up the playground page to support refresh tokens

* Set offline_access scope during initialization

* Added error condition for when a refresh token isn't stored or no cache exists

* Removed specification of audience when calling token endpoint

* Clarified docs on useRefreshTokens

* Simplified usage of getUniqueScopes in index.ts

* Fixed some playground syntax issues for IE11

* Playground now shows auth info on load if authenticated

* Simplified integration tests

* Added more integration tests around getting access tokens

* Encoded the nonce value when building authorize URLs

* Renamed encodeState to encode

* Fixed broken integration test
@stevehobbsdev stevehobbsdev added this to the v1.7.0 milestone Apr 7, 2020
stevehobbsdev pushed a commit that referenced this pull request Apr 15, 2020
* Export types from global TypeScript file.

* Fix BaseLoginOptions JSDoc.

* Fix Auth0Client export and integration tests.

* Prevent breaking changes with type and import.

* Add export for Auth0Client type.

* [SDK-1178] Local Storage caching mechanism (#303)

* Refactored existing cache

* Renamed to InMemoryCache
* Removed default export
* Added ICache
* Refactored tests
* Auth0Client now uses ICache instead of implemented cache type

* Added ability to configure cache strategy

* Added VS Code debug configuration for running tests

* Implemented local storage cache

* Made use of "in" to check presence of key in object

* Refactored playground page to use Vue + Bootstrap

* Added ability to clear the token cache

Added clear() to the ICache interface, meaning that this had to be
applied to the memory and localstorage caches.

Made use of jest-localstorage-mock package for easier testing with
localstorage, making the clear method easier to test for the
LocalStorageCache implementation.

* Revamped the playground page with Vue and Bootstrap additions

* Vulnerable dependency update

* Added a section in the readme about the caching strategy

* Fixed integration tests

* Readme wording

* Refactored how items are cleared from local storage

* Refactored cache key

* Readme tweak to make what 'data' is more clear

* Renamed cacheStrategy option to cacheLocation

* Cache now includes client_id in key

* [SDK-1179] Support for rotating refresh tokens (#315)

* Refactored getting token using iframe into its own method

* Implemented getTokenUsingRefreshToken

* Fixed up the playground page to support refresh tokens

* Set offline_access scope during initialization

* Added error condition for when a refresh token isn't stored or no cache exists

* Removed specification of audience when calling token endpoint

* Clarified docs on useRefreshTokens

* Simplified usage of getUniqueScopes in index.ts

* Fixed some playground syntax issues for IE11

* Playground now shows auth info on load if authenticated

* Simplified integration tests

* Added more integration tests around getting access tokens

* Encoded the nonce value when building authorize URLs

* Renamed encodeState to encode

* Fixed broken integration test

* Release 1.7.0-beta.1 (#327)

* Release 1.7.0-beta.1

* Tweaked intermittently-failing test

* Fixed issue with cache not retaining refresh token (#333)

* Fixed issue with cache not retaining refresh token

* Fix integration tests

* Removed unused core-js import

* Extracted 1 day in seconds value to a constant

* Applied comment to be consistant with related test

* Applied brace styling for consistancy

* Reworked expiry tests to mock date instead of using negative exp

* Added some comments to the cache tests to explain the test scenario

* Cleaned up JS return statement styling

* Prepare 1.7.0-beta.2 (#334)

* Wrapped InMemoryCache implementation in a closure (#337)

* Reinstated lock on getTokenSilently

* Fixed up code + tests after rebase

* Fixed up types

* Removed undesirables from the docs generation

* [SDK-1352] Removed setTimeout cache removal in favour of removal-on-read (#354)

* Removed setTimeout cache expiry in favour of expiry-on-read

* Replace magic values with a constant

* [SDK-1279] getTokenSilently retry logic (#336)

* Added retry logic to getJSON

* Moved retry count to a constant

* Reverted changes to oauthToken

* Reduced retry count to 3

* Implemented a timeout around the fetch call

* Made the fetch timeout a default value and adjusted tests

* Fixed broken test after merge

* Implemented AbortController to abort fetch on timeout

* Added abortcontroller polyfill

* Created factory function for AbortController to be mocked and tested

* [SDK-1352] Stop checking `isAuthenticated` cookie on initialization when using local storage (#352)

* Changes to the initialization strategy

* Removed unused import from a test

* Release 1.7.0-beta.3 (#358)

* Fix error in library type definitions (#367)

`// @ts-ignore` comment is not preserved in the generated type definition, which means that library ships broken type definitions and consumers will get an error when they attempt to use it.

Reproduction:

```
$ npm i @auth0/[email protected] typescript
$ cat index.ts
import c from '@auth0/auth0-spa-js';
$ ./node_modules/.bin/tsc --noEmit index.ts
node_modules/@auth0/auth0-spa-js/dist/typings/index.d.ts:9:8 - error TS2440: Import declaration conflicts with local declaration of 'Auth0Client'.

9 import Auth0Client from './Auth0Client';
         ~~~~~~~~~~~

Found 1 error.
```

* [SDK-1386] Fall back to iframe method if no refresh token is available (#364)

* Logic falls back to the iframe method when no refresh token is found

* Cleaned up a variable name

* Updated integration test

* Release 1.7.0-beta.4 (#370)

* Updated cache configuration instructions in the readme

* Removed unused cacheStrategy param from buildAuthorizeUrl

* [SDK-1379] Export constructor (#385)

Export constructor

* Release 1.7.0-beta.5 (#393)

* [SDK-1507] Dependency upgrade (#405)

* Ran npm audit fix

* Updated packages within semver

* Updated typedoc

* Updated rollup to 2.3.3 + plugins

* Updated idtoken-verifier to 2.0.2

* Fixed warnings on async describe blocks

* Updated prettier/pretty-quick

* Updated Husky and ran husky-upgrade

* Updated Cypress, wait-on and concurrently

* Upgraded tslint

* Updated circle image

* [SDK-1516] Web Workers  (#409)

* fetch in a web worker

* token worker

* known issue: doesn't work if user already logged in (need authorization_code grant_type to populate the refresh token)

* add iframe fallback

* fix tests

* We want to load:
`rollup-plugin-worker-loader::module:./token.worker.ts`
But not:
rollup-plugin-worker-loader::module:/Users/adammcgrath/dev/auth0-spa-js/src/token.worker.ts
TODO: check windows

* Fixed ES5 transpilation for rollup worker plugin

* Make messages serializable using `JSON.parse(JSON.stringify({}))`
Swap imports per https://github.com/mo/abortcontroller-polyfill/blob/3f1c13d2e4087ee15ded81786f1110ae547931bb/README.md#using-it-on-internet-explorer-11-msie11

* only use worker for non ie, local refresh token opts

TODO: fix tests

* Fix tests

* Removed refresh token from worker memory when not included in response

* Moved offline_access scope configuration to constructor

* Modified playground to use both factory func and constructor

* Remove Object.assign

* Remove checks to fix rebuild issue

* Abort timed out requests in the Web Worker

* Errors

* Fix tests

* Add some more tests

* DRY up the tests a little

* Moar tests

* unused import

* update rollup-plugin-web-worker-loader
don't run `addEventListener` in tests
add test for missing refresh token and localstorage

* add timeout tests

* add browser tests

* Only include files in the typings copy process

* Fix fallback logic when no RT and no worker

* add browser tests and comments

* bump node version in Jenkinsfile

* Removed unused import

* Added sanity check for web worker support

* Fixed tests for window.Worker check

* Moved constructor tests into Auth0Client

Co-authored-by: Steve Hobbs <[email protected]>

* Updated readme with info on refresh tokens (#415)

* Implemented fallback to iframe when given specific audience (#414)

* Check if iframe is still in body before removing (#399)

If the iframe is removed from the DOM prior to the timeout it would error on removeChild.

Error thrown: `Uncaught DOMException: Failed to execute 'removeChild' on 'Node': The node to be removed is not a child of this node.`

Bug introduced in #376

Co-authored-by: Steve Hobbs <[email protected]>

* Check if source of event exists before closing it (#410)

When the iframe is closed, the source of the event message is null, resulting in an error: Cannot read property 'close' of undefined (Chrome).

Co-authored-by: Steve Hobbs <[email protected]>

* Removed unused error import

Co-authored-by: maxswa <[email protected]>
Co-authored-by: Yaroslav Admin <[email protected]>
Co-authored-by: Adam Mcgrath <[email protected]>
Co-authored-by: Paul Falgout <[email protected]>
Co-authored-by: gerritdeperrit <[email protected]>
picosam added a commit to picosam/auth0-spa-js that referenced this pull request May 12, 2020
* Fix typings to allow custom claims in ID token (auth0#386)

* Update global.ts

* fix: allow any value in unknown id token claim

* Run release:clean at the end of the release process (auth0#395)

* Merge 1.7.0 beta branch (auth0#419)

* Export types from global TypeScript file.

* Fix BaseLoginOptions JSDoc.

* Fix Auth0Client export and integration tests.

* Prevent breaking changes with type and import.

* Add export for Auth0Client type.

* [SDK-1178] Local Storage caching mechanism (auth0#303)

* Refactored existing cache

* Renamed to InMemoryCache
* Removed default export
* Added ICache
* Refactored tests
* Auth0Client now uses ICache instead of implemented cache type

* Added ability to configure cache strategy

* Added VS Code debug configuration for running tests

* Implemented local storage cache

* Made use of "in" to check presence of key in object

* Refactored playground page to use Vue + Bootstrap

* Added ability to clear the token cache

Added clear() to the ICache interface, meaning that this had to be
applied to the memory and localstorage caches.

Made use of jest-localstorage-mock package for easier testing with
localstorage, making the clear method easier to test for the
LocalStorageCache implementation.

* Revamped the playground page with Vue and Bootstrap additions

* Vulnerable dependency update

* Added a section in the readme about the caching strategy

* Fixed integration tests

* Readme wording

* Refactored how items are cleared from local storage

* Refactored cache key

* Readme tweak to make what 'data' is more clear

* Renamed cacheStrategy option to cacheLocation

* Cache now includes client_id in key

* [SDK-1179] Support for rotating refresh tokens (auth0#315)

* Refactored getting token using iframe into its own method

* Implemented getTokenUsingRefreshToken

* Fixed up the playground page to support refresh tokens

* Set offline_access scope during initialization

* Added error condition for when a refresh token isn't stored or no cache exists

* Removed specification of audience when calling token endpoint

* Clarified docs on useRefreshTokens

* Simplified usage of getUniqueScopes in index.ts

* Fixed some playground syntax issues for IE11

* Playground now shows auth info on load if authenticated

* Simplified integration tests

* Added more integration tests around getting access tokens

* Encoded the nonce value when building authorize URLs

* Renamed encodeState to encode

* Fixed broken integration test

* Release 1.7.0-beta.1 (auth0#327)

* Release 1.7.0-beta.1

* Tweaked intermittently-failing test

* Fixed issue with cache not retaining refresh token (auth0#333)

* Fixed issue with cache not retaining refresh token

* Fix integration tests

* Removed unused core-js import

* Extracted 1 day in seconds value to a constant

* Applied comment to be consistant with related test

* Applied brace styling for consistancy

* Reworked expiry tests to mock date instead of using negative exp

* Added some comments to the cache tests to explain the test scenario

* Cleaned up JS return statement styling

* Prepare 1.7.0-beta.2 (auth0#334)

* Wrapped InMemoryCache implementation in a closure (auth0#337)

* Reinstated lock on getTokenSilently

* Fixed up code + tests after rebase

* Fixed up types

* Removed undesirables from the docs generation

* [SDK-1352] Removed setTimeout cache removal in favour of removal-on-read (auth0#354)

* Removed setTimeout cache expiry in favour of expiry-on-read

* Replace magic values with a constant

* [SDK-1279] getTokenSilently retry logic (auth0#336)

* Added retry logic to getJSON

* Moved retry count to a constant

* Reverted changes to oauthToken

* Reduced retry count to 3

* Implemented a timeout around the fetch call

* Made the fetch timeout a default value and adjusted tests

* Fixed broken test after merge

* Implemented AbortController to abort fetch on timeout

* Added abortcontroller polyfill

* Created factory function for AbortController to be mocked and tested

* [SDK-1352] Stop checking `isAuthenticated` cookie on initialization when using local storage (auth0#352)

* Changes to the initialization strategy

* Removed unused import from a test

* Release 1.7.0-beta.3 (auth0#358)

* Fix error in library type definitions (auth0#367)

`// @ts-ignore` comment is not preserved in the generated type definition, which means that library ships broken type definitions and consumers will get an error when they attempt to use it.

Reproduction:

```
$ npm i @auth0/[email protected] typescript
$ cat index.ts
import c from '@auth0/auth0-spa-js';
$ ./node_modules/.bin/tsc --noEmit index.ts
node_modules/@auth0/auth0-spa-js/dist/typings/index.d.ts:9:8 - error TS2440: Import declaration conflicts with local declaration of 'Auth0Client'.

9 import Auth0Client from './Auth0Client';
         ~~~~~~~~~~~

Found 1 error.
```

* [SDK-1386] Fall back to iframe method if no refresh token is available (auth0#364)

* Logic falls back to the iframe method when no refresh token is found

* Cleaned up a variable name

* Updated integration test

* Release 1.7.0-beta.4 (auth0#370)

* Updated cache configuration instructions in the readme

* Removed unused cacheStrategy param from buildAuthorizeUrl

* [SDK-1379] Export constructor (auth0#385)

Export constructor

* Release 1.7.0-beta.5 (auth0#393)

* [SDK-1507] Dependency upgrade (auth0#405)

* Ran npm audit fix

* Updated packages within semver

* Updated typedoc

* Updated rollup to 2.3.3 + plugins

* Updated idtoken-verifier to 2.0.2

* Fixed warnings on async describe blocks

* Updated prettier/pretty-quick

* Updated Husky and ran husky-upgrade

* Updated Cypress, wait-on and concurrently

* Upgraded tslint

* Updated circle image

* [SDK-1516] Web Workers  (auth0#409)

* fetch in a web worker

* token worker

* known issue: doesn't work if user already logged in (need authorization_code grant_type to populate the refresh token)

* add iframe fallback

* fix tests

* We want to load:
`rollup-plugin-worker-loader::module:./token.worker.ts`
But not:
rollup-plugin-worker-loader::module:/Users/adammcgrath/dev/auth0-spa-js/src/token.worker.ts
TODO: check windows

* Fixed ES5 transpilation for rollup worker plugin

* Make messages serializable using `JSON.parse(JSON.stringify({}))`
Swap imports per https://github.com/mo/abortcontroller-polyfill/blob/3f1c13d2e4087ee15ded81786f1110ae547931bb/README.md#using-it-on-internet-explorer-11-msie11

* only use worker for non ie, local refresh token opts

TODO: fix tests

* Fix tests

* Removed refresh token from worker memory when not included in response

* Moved offline_access scope configuration to constructor

* Modified playground to use both factory func and constructor

* Remove Object.assign

* Remove checks to fix rebuild issue

* Abort timed out requests in the Web Worker

* Errors

* Fix tests

* Add some more tests

* DRY up the tests a little

* Moar tests

* unused import

* update rollup-plugin-web-worker-loader
don't run `addEventListener` in tests
add test for missing refresh token and localstorage

* add timeout tests

* add browser tests

* Only include files in the typings copy process

* Fix fallback logic when no RT and no worker

* add browser tests and comments

* bump node version in Jenkinsfile

* Removed unused import

* Added sanity check for web worker support

* Fixed tests for window.Worker check

* Moved constructor tests into Auth0Client

Co-authored-by: Steve Hobbs <[email protected]>

* Updated readme with info on refresh tokens (auth0#415)

* Implemented fallback to iframe when given specific audience (auth0#414)

* Check if iframe is still in body before removing (auth0#399)

If the iframe is removed from the DOM prior to the timeout it would error on removeChild.

Error thrown: `Uncaught DOMException: Failed to execute 'removeChild' on 'Node': The node to be removed is not a child of this node.`

Bug introduced in auth0#376

Co-authored-by: Steve Hobbs <[email protected]>

* Check if source of event exists before closing it (auth0#410)

When the iframe is closed, the source of the event message is null, resulting in an error: Cannot read property 'close' of undefined (Chrome).

Co-authored-by: Steve Hobbs <[email protected]>

* Removed unused error import

Co-authored-by: maxswa <[email protected]>
Co-authored-by: Yaroslav Admin <[email protected]>
Co-authored-by: Adam Mcgrath <[email protected]>
Co-authored-by: Paul Falgout <[email protected]>
Co-authored-by: gerritdeperrit <[email protected]>

* Release 1.7.0 (auth0#421)

* Updated readme to include information about the RT fallback (auth0#423)

* Reset prettier config to pre-2.0 defaults, reformatted some files (auth0#431)

* include polyfill for Set (auth0#426)

* Updated `login_hint` js docs to clarify usage with Lock (auth0#441)

* Moved es-check to build script (auth0#442)

* Update rollup-plugin-web-worker-loader to 1.1.1 (auth0#443)

* Upgraded rollup-plugin-web-worker-loader to 1.1.1

This fixes an issue with Blob during Gatsby/SSR build

* Removed 'check' and other TS config

This is no longer needed now that the rollup plugin is fixed.

* Formatting

* Fixed playground string interp issue for IE11

* [SDK-1417] Customizable default scopes (auth0#435)

* Extracted changes needed to customize defaultScope

* Moved existing defaultScopes test to the right place

* getUniqueScopes moved into scope.ts

* Refactor getUniqueScopes into its own module

This allows it to me mocked or unmocked separately from utils.
index.test.ts has been completely refactored to use an unmocked version
and the expectations have changed as a result.

* Stop mutating optios.scope and store in separate var

* Added tests for relevant functions for using advanced default scopes

* Fix constructor after merge

* advancedOptions.defaultScope can accept empty/null value

* Added advanced section to readme

Docs build to follow in the release PR

* Set up proper spy for getUniqueScopes

* Fixed types in JS docs

* Simplified getUniqueScopes implementation

* Cleaned up index test file

* Simplified the defaultScope check using null chaining operator

Co-authored-by: Sri Hari Raju Penmatsa <[email protected]>

* Release 1.8.0 (auth0#445)

* Fix issue with create-react-app webpack build (auth0#451)

* Release 1.8.1 (auth0#453)

Co-authored-by: Steve Hobbs <[email protected]>
Co-authored-by: maxswa <[email protected]>
Co-authored-by: Yaroslav Admin <[email protected]>
Co-authored-by: Adam Mcgrath <[email protected]>
Co-authored-by: Paul Falgout <[email protected]>
Co-authored-by: gerritdeperrit <[email protected]>
Co-authored-by: Tony Knight <[email protected]>
Co-authored-by: Sri Hari Raju Penmatsa <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CH: Added PR is adding feature or functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants