diff --git a/.version b/.version index c444c795..41ac0395 100644 --- a/.version +++ b/.version @@ -1 +1 @@ -v2.19.0 \ No newline at end of file +v2.20.0 \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f181468..2a8ff265 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Change Log +## [v2.20.0](https://github.com/auth0/auth0-react/tree/v2.20.0) (2026-07-02) +[Full Changelog](https://github.com/auth0/auth0-react/compare/v2.19.0...v2.20.0) + +**Added** +- feat: enforce IPSIE session_expiry ceiling on local session lifetime [\#1126](https://github.com/auth0/auth0-react/pull/1126) ([yogeshchoudhary147](https://github.com/yogeshchoudhary147)) + ## [v2.19.0](https://github.com/auth0/auth0-react/tree/v2.19.0) (2026-06-18) [Full Changelog](https://github.com/auth0/auth0-react/compare/v2.18.0...v2.19.0) diff --git a/docs/assets/hierarchy.js b/docs/assets/hierarchy.js index b4e2bca4..ed4efb01 100644 --- a/docs/assets/hierarchy.js +++ b/docs/assets/hierarchy.js @@ -1 +1 @@ -window.hierarchyData = "eJyVlMtu2zAQRf+Fa6aRKD4k7Qr3gQJuU6RpuwiyIOSxRYQmVZJeFIH/vbCMprRkl/RKgHRHZ+68XpCzNnjUPjLGcFUJTGjxhJGDtYYuKGs8al8QocXhYeQWUIu+2mE3LO1GmbvhKMHoWZkVagnjGO2cRi1SJoBbyw787Uz/pg9bjTDqtPQetSj41c3hBzevQYePvdIrBwa1j4Typz1GhPIoi48QHuwzmJ8q9CMhL5lLYRk57TGqKhGl8Gkhux4SwKPoWssVGy1XLLa8tJ3U34J1cgOn6JLUf9EjAfztTHwxheOLA03QiPagtmB34b1z1v0PFOsSjBOLlJWjxSYu6ee1vIdfO+VglQRPtWmDlPDpHC+k6UDrDNwZeQaRlVNibl1n4gyamPm7G8DkoV6VGZymiThvd6EHE1QnD5uUhJ2Rp4mM1PGUKO+V2dzD2oHvx31OT8uFmAw2Yyd3x4BTXZIX665Zi0pQXDUCU8IxFRzTpsGM1JjVBeaEYl6Pa8Pq+CR/9/BusMMXazpIZjYTp0vASXwZFtYY6NITHOsyGHV5eghyDsDV5RUFx6IqsWAci7rEdTEeWlHwU/hS+RBNqnU+J50LUWnzopqaN85qvQWTLvNcncFjE7+LXmoNZpMen5k4gzZt7Q9wav07BxUp05x62sV/dfkgu9wmng9K0ff7PxbsFU8=" \ No newline at end of file +window.hierarchyData = "eJyVlE+P2yAQxb8LZ7brYGOIb1X6R5XSbrXdtofVHhCZxGgJuEAO1SrfvbKjbrGdFHKyZL/x771hmBfkrA0eNY+U1rgsOSZV8YSRg60GGZQ1HjUviFRF/zBiD6hBX2136NZ2p8xdd5Jg9KzMBjWE1hgdnEYNUiaA2woJ/namf9OGvUYYSS28Rw0KfnPT/+Dmtaj/2Cq9cWBQ80iq+umIEanqyMVHCA/2GcxPFdqBkGfmUlmGpyNGZckjC59WQraQAJ5E10YuKesjl5RFvLWVQn8L1okdjNELwv+iBwL425n4ooXTi57GaER7UHuwh/DeOev+B4p1CcYoYkXJEHEZt/TzVtzDr4NysEmCp9p0wIqw6RyvhJGgdQbujDyDSMmUmNvXmTiDxmb57joweahXZZpDi3gfvD2EFkxQUvQ3KQk7I88gkmU8Jcp7ZXb3sHXg2+E+p6flQk0Gm473jgGnZJIX6665FiWjuFxyXBGGK8YwLQpMyRJTvsA1objmw7WhfBGZ+u7hXWe7L9ZISDqbidMtqEm8GVbWGJDpCY51GQxOxosgZwFc3V5WMMxKghllmHGCeTEsWlawMXytfIgm1TqfY+dCVTo8K6fhjbNa78Gk2zxXZ/DoJO+qFVqD2aXHZybOoE2P9gc4tf2dg4qUaQ6fnuK/vnwQMvcQzxel6MfjHxS0FU8=" \ No newline at end of file diff --git a/docs/classes/AuthenticationError.html b/docs/classes/AuthenticationError.html index 6fd73e24..8841350c 100644 --- a/docs/classes/AuthenticationError.html +++ b/docs/classes/AuthenticationError.html @@ -1,6 +1,6 @@
Thrown when handling the redirect callback for the connect flow fails, will be one of Auth0's Authentication API's Standard Error Responses: https://auth0.com/docs/api/authentication?javascript#standard-error-responses
-Thrown when network requests to the Auth server fail.
-try {
const challenge = await mfa.challenge({
mfaToken: mfaToken,
challengeType: 'otp',
authenticatorId: 'otp|dev_123'
});
} catch (error) {
if (error instanceof MfaChallengeError) {
console.log(error.error); // 'too_many_attempts'
console.log(error.error_description); // 'Rate limit exceeded'
}
}
-Base class for MFA-related errors in auth0-spa-js. Extends GenericError for unified error hierarchy across the SDK.
-Error thrown when the token exchange results in a mfa_required error
try {
const tokens = await mfa.verify({
mfaToken: mfaToken,
grant_type: 'http://auth0.com/oauth/grant-type/mfa-otp',
otp: '123456'
});
} catch (error) {
if (error instanceof MfaVerifyError) {
console.log(error.error); // 'invalid_otp' or 'context_not_found'
console.log(error.error_description); // Error details
}
}
-Error thrown when there is no refresh token to use
-An OAuth2 error will come from the authorization server and will have at least an error property which will
be the error code. And possibly an error_description property
See: https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.2.6
-Optionalerror_description: stringOptionalerror_description: stringOptionalerror_OptionalstackStaticstackThe Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
diff --git a/docs/classes/PasskeyChallengeError.html b/docs/classes/PasskeyChallengeError.html
index 8f79901b..5b16f7b6 100644
--- a/docs/classes/PasskeyChallengeError.html
+++ b/docs/classes/PasskeyChallengeError.html
@@ -1,5 +1,5 @@
Error thrown when requesting a passkey login challenge fails.
-Optionalcause: PasskeyApiErrorResponseOptionalcause: PasskeyApiErrorResponseOptionalcauseOptionalstackStaticstackThe Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
diff --git a/docs/classes/PasskeyError.html b/docs/classes/PasskeyError.html
index 6f4f265f..4160581e 100644
--- a/docs/classes/PasskeyError.html
+++ b/docs/classes/PasskeyError.html
@@ -1,4 +1,4 @@
-
Error thrown when exchanging a passkey credential for tokens fails.
Unlike the challenge errors, this carries mfa_token / mfa_requirements on
its cause when the server responds with mfa_required.
Optionalcause: PasskeyGetTokenApiErrorResponseOptionalcause: PasskeyGetTokenApiErrorResponseOptionalcauseOptionalstackStaticstackThe Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
diff --git a/docs/classes/PasskeyRegisterError.html b/docs/classes/PasskeyRegisterError.html
index 734aaaae..bb22af9f 100644
--- a/docs/classes/PasskeyRegisterError.html
+++ b/docs/classes/PasskeyRegisterError.html
@@ -1,5 +1,5 @@
Error thrown when requesting a passkey register challenge fails.
-Optionalcause: PasskeyApiErrorResponseOptionalcause: PasskeyApiErrorResponseOptionalcauseOptionalstackStaticstackThe Error.stackTraceLimit property specifies the number of stack frames
collected by a stack trace (whether generated by new Error().stack or
Error.captureStackTrace(obj)).
The default value is 10 but may be set to any valid JavaScript number. Changes
diff --git a/docs/classes/PopupCancelledError.html b/docs/classes/PopupCancelledError.html
index 115d923f..76097af7 100644
--- a/docs/classes/PopupCancelledError.html
+++ b/docs/classes/PopupCancelledError.html
@@ -1,5 +1,5 @@
Thrown when network requests to the Auth server fail.
-Thrown when network requests to the Auth server fail.
-Error thrown when the login popup times out (if the user does not complete auth)
-Thrown when silent auth times out (usually due to a configuration issue) or when network requests to the Auth server timeout.
-Error thrown when the wrong DPoP nonce is used and a potential subsequent retry wasn't able to fix it.
-OptionalactOptionaladdressOptionalbirthdateOptionalemailOptionalemail_Optionalfamily_OptionalgenderOptionalgiven_OptionallocaleOptionalmiddle_OptionalnameOptionalnicknameOptionalphone_Optionalphone_OptionalpictureOptionalpreferred_OptionalprofileOptionalsubOptionalupdated_OptionalwebsiteOptionalzoneinfoOptionalactOptionaladdressOptionalbirthdateOptionalemailOptionalemail_Optionalfamily_OptionalgenderOptionalgiven_OptionallocaleOptionalmiddle_OptionalnameOptionalnicknameOptionalphone_Optionalphone_OptionalpictureOptionalpreferred_OptionalprofileOptionalsubOptionalupdated_OptionalwebsiteOptionalzoneinfoProvides the Auth0Context to its child components.
-Use the useAuth0 hook in your components to access the auth state and methods.
TUser is an optional type param to provide a type to the user field.
Wrap your class components in this Higher Order Component to give them access to the Auth0Context.
Providing a context as the second argument allows you to configure the Auth0Provider the Auth0Context should come from f you have multiple within your application.
-When you wrap your components in this Higher Order Component and an anonymous user visits your component they will be redirected to the login page; after login they will be returned to the page they were redirected from.
-Contains the authenticated state and authentication methods provided by the useAuth0 hook.
If connecting the account is successful onRedirectCallback will be called
with the details of the connected account.
Returns a new Fetcher class that will contain a fetchWithAuth() method.
+
Returns a new Fetcher class that will contain a fetchWithAuth() method.
This is a drop-in replacement for the Fetch API's fetch() method, but will
handle certain authentication logic for you, like building the proper auth
headers or managing DPoP nonces and retries automatically.
Check the EXAMPLES.md file for a deeper look into this method.
Optionalconfig: FetcherConfig<TOutput>const tokenResponse = await customTokenExchange({
subject_token: 'ey...',
subject_token_type: 'urn:acme:legacy-system-token',
actor_token: 'ey...',
actor_token_type: 'https://idp.example.com/token-type/agent',
});
+Optionalconfig: FetcherConfig<TOutput>const tokenResponse = await customTokenExchange({
subject_token: 'ey...',
subject_token_type: 'urn:acme:legacy-system-token',
actor_token: 'ey...',
actor_token_type: 'https://idp.example.com/token-type/agent',
});
Exchanges an external subject token for Auth0 tokens without affecting the current session.
@@ -52,7 +52,7 @@refresh_token in the response is expected and will not cause an error.
The options required to perform the token exchange.
A promise that resolves to the token endpoint response.
-The options required to perform the token exchange
+The options required to perform the token exchange
A promise that resolves to the token endpoint response containing Auth0 tokens
Use loginWithCustomTokenExchange() instead. This method will be removed in the next major version.
const tokenResponse = await exchangeToken({
subject_token: 'external_token_value',
subject_token_type: 'urn:acme:legacy-system-token',
scope: 'openid profile email'
});
@@ -66,13 +66,13 @@
// Instead of:
const tokens = await exchangeToken(options);
// Use:
const tokens = await loginWithCustomTokenExchange(options);
-Returns a string to be used to demonstrate possession of the private +
Returns a string to be used to demonstrate possession of the private key used to cryptographically bind access tokens with DPoP.
It requires enabling the Auth0ClientOptions.useDpop option.
Returns a string to be used to demonstrate possession of the private key used to cryptographically bind access tokens with DPoP.
It requires enabling the Auth0ClientOptions.useDpop option.
-const token = await getAccessTokenSilently(options);
+const token = await getAccessTokenSilently(options);
If there's a valid token stored, return it. Otherwise, opens an @@ -91,7 +91,7 @@ back to using an iframe to make the token exchange.
Note that in all cases, falling back to an iframe requires access to
the auth0 cookie.
const token = await getTokenWithPopup(options, config);
+const token = await getTokenWithPopup(options, config);
Get an access token interactively.
@@ -99,7 +99,7 @@ provided as arguments. Random and securestate and nonce
parameters will be auto-generated. If the response is successful,
results will be valid according to their expiration times.
-const config = getConfiguration();
// { domain: 'tenant.auth0.com', clientId: 'abc123' }
+const config = getConfiguration();
// { domain: 'tenant.auth0.com', clientId: 'abc123' }
Returns a readonly copy of the initialization configuration @@ -109,7 +109,7 @@
Returns the current DPoP nonce used for making requests to Auth0.
+Returns the current DPoP nonce used for making requests to Auth0.
It can return undefined because when starting fresh it will not
be populated until after the first response from the server.
It requires enabling the Auth0ClientOptions.useDpop option.
@@ -124,16 +124,16 @@const claims = await getIdTokenClaims();
+const claims = await getIdTokenClaims();
Returns all claims from the id_token if available.
-After the browser redirects back to the callback page, +
After the browser redirects back to the callback page,
call handleRedirectCallback to handle success and error
responses from Auth0. If the response is successful, results
will be valid according to their expiration times.
Optionalurl: stringThe URL to that should be used to retrieve the state and code values. Defaults to window.location.href if not given.
await loginWithCustomTokenExchange(options);
+await loginWithCustomTokenExchange(options);
Exchanges an external subject token for Auth0 tokens and logs the user in. @@ -157,7 +157,7 @@
const options = {
subject_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...',
subject_token_type: 'urn:acme:legacy-system-token',
scope: 'openid profile email',
audience: 'https://api.example.com',
organization: 'org_12345'
};
try {
const tokenResponse = await loginWithCustomTokenExchange(options);
console.log('Access token:', tokenResponse.access_token);
// User is now logged in - access user info
const user = await getUser();
console.log('Logged in user:', user);
} catch (error) {
console.error('Token exchange failed:', error);
}
-await loginWithPopup(options, config);
+await loginWithPopup(options, config);
Opens a popup with the /authorize URL using the parameters
@@ -167,20 +167,20 @@
IMPORTANT: This method has to be called from an event handler that was started by the user like a button click, for example, otherwise the popup will be blocked in most browsers.
-await loginWithRedirect(options);
+await loginWithRedirect(options);
Performs a redirect to /authorize using the parameters
provided as arguments. Random and secure state and nonce
parameters will be auto-generated.
auth0.logout({ logoutParams: { returnTo: window.location.origin } });
+auth0.logout({ logoutParams: { returnTo: window.location.origin } });
Clears the application session and performs a redirect to /v2/logout, using
the parameters provided as arguments, to clear the Auth0 session.
If the logoutParams.federated option is specified, it also clears the Identity Provider session.
Read more about how Logout works at Auth0.
const { mfa } = useAuth0();
const authenticators = await mfa.getAuthenticators(mfaToken);
+const { mfa } = useAuth0();
const authenticators = await mfa.getAuthenticators(mfaToken);
MFA API client for Multi-Factor Authentication operations.
@@ -195,7 +195,7 @@const { mfa, getAccessTokenSilently } = useAuth0();
try {
await getAccessTokenSilently();
} catch (error) {
if (error.error === 'mfa_required') {
// Check if enrollment is needed
const factors = await mfa.getEnrollmentFactors(error.mfa_token);
if (factors.length > 0) {
// Enroll in OTP
const enrollment = await mfa.enroll({
mfaToken: error.mfa_token,
factorType: 'otp'
});
console.log('QR Code:', enrollment.barcodeUri);
}
// Get authenticators and challenge
const authenticators = await mfa.getAuthenticators(error.mfa_token);
await mfa.challenge({
mfaToken: error.mfa_token,
challengeType: 'otp',
authenticatorId: authenticators[0].id
});
// Verify with user's code
const tokens = await mfa.verify({
mfaToken: error.mfa_token,
otp: userCode
});
}
}
-const { myAccount } = useAuth0();
const factors = await myAccount.getFactors();
+const { myAccount } = useAuth0();
const factors = await myAccount.getFactors();
MyAccount API client for self-service account management operations.
@@ -213,7 +213,7 @@const { myAccount } = useAuth0();
// List all enrolled authentication methods
const methods = await myAccount.getAuthenticationMethods();
// Enroll a new passkey
const challenge = await myAccount.enrollmentChallenge({ type: 'passkey' });
const credential = await navigator.credentials.create({ publicKey: challenge.authn_params_public_key });
await myAccount.enrollmentVerify({ type: 'passkey', auth_session: challenge.auth_session, location: challenge.location, authn_response: credential });
// Remove an authentication method
await myAccount.deleteAuthenticationMethod('method-id');
-const { passkey } = useAuth0();
const tokens = await passkey.signup({ email: 'user@example.com' });
+const { passkey } = useAuth0();
const tokens = await passkey.signup({ email: 'user@example.com' });
Passkey API client for WebAuthn-based passwordless authentication.
@@ -223,7 +223,7 @@Both methods exchange the WebAuthn credential for Auth0 tokens and update
isAuthenticated / user in the same way as loginWithPopup.
Sets the current DPoP nonce used for making requests to Auth0.
+Sets the current DPoP nonce used for making requests to Auth0.
It requires enabling the Auth0ClientOptions.useDpop option.
Sets the current DPoP nonce used for making requests to Auth0.
It requires enabling the Auth0ClientOptions.useDpop option.
@@ -235,4 +235,4 @@Email enrollment parameters
-OptionalemailEmail address (optional, uses user's email if not provided)
diff --git a/docs/interfaces/EnrollOtpParams.html b/docs/interfaces/EnrollOtpParams.html index c5378877..16c9f959 100644 --- a/docs/interfaces/EnrollOtpParams.html +++ b/docs/interfaces/EnrollOtpParams.html @@ -1,5 +1,5 @@OTP (Time-based One-Time Password) enrollment parameters
-The factor type for enrollment
MFA token from mfa_required error
diff --git a/docs/interfaces/EnrollPushParams.html b/docs/interfaces/EnrollPushParams.html index f78ed97e..c8c3b2b5 100644 --- a/docs/interfaces/EnrollPushParams.html +++ b/docs/interfaces/EnrollPushParams.html @@ -1,5 +1,5 @@Push notification enrollment parameters
-The factor type for enrollment
MFA token from mfa_required error
diff --git a/docs/interfaces/EnrollSmsParams.html b/docs/interfaces/EnrollSmsParams.html index 3f513785..1ea1af47 100644 --- a/docs/interfaces/EnrollSmsParams.html +++ b/docs/interfaces/EnrollSmsParams.html @@ -1,5 +1,5 @@SMS enrollment parameters
-The factor type for enrollment
diff --git a/docs/interfaces/EnrollVoiceParams.html b/docs/interfaces/EnrollVoiceParams.html index 63178221..c63a9c0d 100644 --- a/docs/interfaces/EnrollVoiceParams.html +++ b/docs/interfaces/EnrollVoiceParams.html @@ -1,5 +1,5 @@Voice enrollment parameters
-The factor type for enrollment
diff --git a/docs/interfaces/IdToken.html b/docs/interfaces/IdToken.html index 84bc3c5b..981520f7 100644 --- a/docs/interfaces/IdToken.html +++ b/docs/interfaces/IdToken.html @@ -1,4 +1,4 @@ -OptionalacrOptionalactThe actor claim, present in ID tokens returned via token exchange responses.
Identifies the acting party that has been delegated authority to act on behalf
of the subject. Set via Auth0 Actions using the setActor command.
OptionaladdressOptionalamrOptionalat_OptionalaudOptionalauth_OptionalazpOptionalbirthdateOptionalc_OptionalcnfOptionalemailOptionalemail_OptionalexpOptionalfamily_OptionalgenderOptionalgiven_OptionaliatOptionalissOptionaljtiOptionallocaleOptionalmiddle_OptionalnameOptionalnbfOptionalnicknameOptionalnonceOptionalorg_Optionalorg_Optionalphone_Optionalphone_OptionalpictureOptionalpreferred_OptionalprofileOptionalsidOptionalsub_Optionalupdated_OptionalwebsiteOptionalzoneinfoOptionaladdressOptionalamrOptionalat_OptionalaudOptionalauth_OptionalazpOptionalbirthdateOptionalc_OptionalcnfOptionalemailOptionalemail_OptionalexpOptionalfamily_OptionalgenderOptionalgiven_OptionaliatOptionalissOptionaljtiOptionallocaleOptionalmiddle_OptionalnameOptionalnbfOptionalnicknameOptionalnonceOptionalorg_Optionalorg_Optionalphone_Optionalphone_OptionalpictureOptionalpreferred_OptionalprofileOptionalsession_IPSIE session expiry ceiling (Unix timestamp in seconds). +When present, the SDK will not return tokens after this point in time.
+OptionalsidOptionalsub_Optionalupdated_OptionalwebsiteOptionalzoneinfoOptionalclientThe clientId of your application.
Components wrapped in withAuth0 will have an additional auth0 prop
Options for the withAuthenticationRequired Higher Order Component
-OptionalcontextThe context to be used when calling useAuth0, this should only be provided if you are using multiple Auth0Providers within your application and you wish to tie a specific component to a Auth0Provider other than the Auth0Provider associated with the default Auth0Context.
-OptionalloginwithAuthenticationRequired(Profile, {
loginOptions: {
appState: {
customProp: 'foo'
}
}
})
+OptionalloginwithAuthenticationRequired(Profile, {
loginOptions: {
appState: {
customProp: 'foo'
}
}
})
Pass additional login options, like extra appState to the login page.
This will be merged with the returnTo option used by the onRedirectCallback handler.
OptionalonwithAuthenticationRequired(Profile, {
onBeforeAuthentication: () => { analyticsLibrary.track('login_triggered'); }
})
+OptionalonwithAuthenticationRequired(Profile, {
onBeforeAuthentication: () => { analyticsLibrary.track('login_triggered'); }
})
Allows executing logic before the user is redirected to the login page.
-OptionalonwithAuthenticationRequired(Profile, {
onRedirecting: () => <div>Redirecting you to the login...</div>
})
+OptionalonwithAuthenticationRequired(Profile, {
onRedirecting: () => <div>Redirecting you to the login...</div>
})
Render a message to show that the user is being redirected to the login.
-OptionalreturnwithAuthenticationRequired(Profile, {
returnTo: '/profile'
})
+OptionalreturnwithAuthenticationRequired(Profile, {
returnTo: '/profile'
})
or
@@ -28,4 +28,4 @@Add a path for the onRedirectCallback handler to return the user to after login.
The state of the application before the user was redirected to the login page and any account that the user may have connected to.
-The main configuration to instantiate the Auth0Provider.
Either provide domain and clientId (Auth0ProviderWithConfigOptions)
or a pre-configured client instance (Auth0ProviderWithClientOptions).
Options for Auth0Provider when configuring Auth0 via domain and clientId.
Use this type when building wrapper components around Auth0Provider.
The account that has been connected during the connect flow.
-ConstThe Auth0 Context
-
Thrown when handling the redirect callback fails, will be one of Auth0's Authentication API's Standard Error Responses: https://auth0.com/docs/api/authentication?javascript#standard-error-responses
-