npm - @auth0/auth0-spa-js - Versions diffs - 2.10.0 → 2.11.1 - Mend

@auth0/auth0-spa-js 2.10.0 → 2.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/README.md +1 -1
package/dist/auth0-spa-js.development.js +11 -2
package/dist/auth0-spa-js.development.js.map +1 -1
package/dist/auth0-spa-js.production.esm.js +1 -1
package/dist/auth0-spa-js.production.esm.js.map +1 -1
package/dist/auth0-spa-js.production.js +1 -1
package/dist/auth0-spa-js.production.js.map +1 -1
package/dist/auth0-spa-js.worker.development.js.map +1 -1
package/dist/auth0-spa-js.worker.production.js.map +1 -1
package/dist/lib/auth0-spa-js.cjs.js +11 -2
package/dist/lib/auth0-spa-js.cjs.js.map +1 -1
package/dist/typings/Auth0Client.d.ts +5 -1
package/dist/typings/TokenExchange.d.ts +6 -0
package/dist/typings/global.d.ts +4 -1
package/dist/typings/version.d.ts +1 -1
package/package.json +3 -3
package/src/Auth0Client.ts +21 -2
package/src/TokenExchange.ts +7 -0
package/src/global.ts +4 -1
package/src/version.ts +1 -1

package/dist/typings/Auth0Client.d.ts CHANGED Viewed

@@ -233,6 +233,8 @@ export declare class Auth0Client {
      * - `scope`: A unique set of scopes, generated by merging the scopes supplied in the options
      *            with the SDK’s default scopes.
      * - `audience`: The target audience from the options, with fallback to the SDK's authorization configuration.
+     * - `organization`: Optional organization ID or name for authenticating the user in an organization context.
+     *                   When provided, the organization ID will be present in the access token payload.
      *
      * **Example Usage:**
      *
@@ -241,13 +243,15 @@ export declare class Auth0Client {
      * const options: CustomTokenExchangeOptions = {
      *   subject_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...',
      *   subject_token_type: 'urn:acme:legacy-system-token',
-     *   scope: "openid profile"
+     *   scope: "openid profile",
+     *   organization: "org_12345"
      * };
      *
      * // Exchange the external token for Auth0 tokens
      * try {
      *   const tokenResponse = await instance.exchangeToken(options);
      *   // Use tokenResponse.access_token, tokenResponse.id_token, etc.
+     *   // The organization ID will be present in the access token payload
      * } catch (error) {
      *   // Handle token exchange error
      * }

package/dist/typings/TokenExchange.d.ts CHANGED Viewed

@@ -53,6 +53,12 @@ export type CustomTokenExchangeOptions = {
      * "openid profile email read:data write:data"
      */
     scope?: string;
+    /**
+     * ID or name of the organization to use when authenticating a user.
+     * When provided, the user will be authenticated using the organization context.
+     * The organization ID will be present in the access token payload.
+     */
+    organization?: string;
     /**
      * Additional custom parameters for Auth0 Action processing
      *

package/dist/typings/global.d.ts CHANGED Viewed

@@ -140,9 +140,12 @@ export interface Auth0ClientOptions {
      */
     cache?: ICache;
     /**
-     * If true, refresh tokens are used to fetch new access tokens from the Auth0 server. If false, the legacy technique of using a hidden iframe and the `authorization_code` grant with `prompt=none` is used.
+     * If true, refresh tokens are used to fetch new access tokens from the Auth0 server. If false, the standard technique of using a hidden iframe and the `authorization_code` grant with `prompt=none` is used.
      * The default setting is `false`.
      *
+     * Standard technique relies on cookies. Because browsers increasingly block third-party cookies, it requires a Custom Domain to function reliably. Refresh tokens serve as a fallback for environments where third-party cookies are blocked.
+     * Using a Custom Domain with this set to `false` is the most secure and recommended approach.
+     *
      * **Note**: Use of refresh tokens must be enabled by an administrator on your Auth0 client application.
      */
     useRefreshTokens?: boolean;

package/dist/typings/version.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-declare const _default: "2.10.0";
+declare const _default: "2.11.1";
 export default _default;

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
   "name": "@auth0/auth0-spa-js",
   "description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
   "license": "MIT",
-  "version": "2.10.0",
+  "version": "2.11.1",
   "main": "dist/lib/auth0-spa-js.cjs.js",
   "types": "dist/typings/index.d.ts",
   "module": "dist/auth0-spa-js.production.esm.js",
@@ -59,7 +59,7 @@
     "@types/jest": "^28.1.7",
     "@typescript-eslint/eslint-plugin-tslint": "^5.33.1",
     "@typescript-eslint/parser": "^5.33.1",
-    "browserstack-cypress-cli": "1.32.8",
+    "browserstack-cypress-cli": "1.36.0",
     "cli-table": "^0.3.6",
     "concurrently": "^7.3.0",
     "cypress": "13.17.0",
@@ -76,7 +76,7 @@
     "jest-junit": "^14.0.0",
     "jest-localstorage-mock": "^2.4.22",
     "jsonwebtoken": "^9.0.0",
-    "oidc-provider": "^7.14.0",
+    "oidc-provider": "^9.6.0",
     "prettier": "^2.7.1",
     "pretty-quick": "^3.1.2",
     "rimraf": "^3.0.2",

package/src/Auth0Client.ts CHANGED Viewed

@@ -1373,6 +1373,19 @@ export class Auth0Client {
       organization
     );
+    // When logging in with authorization_code, check if a different user is authenticating
+    // If so, clear the cache to prevent tokens from multiple users coexisting
+    if (options.grant_type === 'authorization_code') {
+      const existingIdToken = await this._getIdTokenFromCache();
+      if (existingIdToken?.decodedToken?.claims?.sub &&
+          existingIdToken.decodedToken.claims.sub !== decodedToken.claims.sub) {
+        // Different user detected - clear cached tokens
+        await this.cacheManager.clear(this.options.clientId);
+        this.userCache.remove(CACHE_KEY_ID_TOKEN_SUFFIX);
+      }
+    }
     await this._saveEntryInCache({
       ...authResult,
       decodedToken,
@@ -1422,6 +1435,8 @@ export class Auth0Client {
    * - `scope`: A unique set of scopes, generated by merging the scopes supplied in the options
    *            with the SDK’s default scopes.
    * - `audience`: The target audience from the options, with fallback to the SDK's authorization configuration.
+   * - `organization`: Optional organization ID or name for authenticating the user in an organization context.
+   *                   When provided, the organization ID will be present in the access token payload.
    *
    * **Example Usage:**
    *
@@ -1430,13 +1445,15 @@ export class Auth0Client {
    * const options: CustomTokenExchangeOptions = {
    *   subject_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...',
    *   subject_token_type: 'urn:acme:legacy-system-token',
-   *   scope: "openid profile"
+   *   scope: "openid profile",
+   *   organization: "org_12345"
    * };
    *
    * // Exchange the external token for Auth0 tokens
    * try {
    *   const tokenResponse = await instance.exchangeToken(options);
    *   // Use tokenResponse.access_token, tokenResponse.id_token, etc.
+   *   // The organization ID will be present in the access token payload
    * } catch (error) {
    *   // Handle token exchange error
    * }
@@ -1454,7 +1471,8 @@ export class Auth0Client {
         options.scope,
         options.audience || this.options.authorizationParams.audience
       ),
-      audience: options.audience || this.options.authorizationParams.audience
+      audience: options.audience || this.options.authorizationParams.audience,
+      organization: options.organization || this.options.authorizationParams.organization
     });
   }
@@ -1638,6 +1656,7 @@ interface TokenExchangeRequestOptions extends BaseRequestTokenOptions {
   subject_token_type: string;
   actor_token?: string;
   actor_token_type?: string;
+  organization?: string;
 }
 interface RequestTokenAdditionalParameters {

package/src/TokenExchange.ts CHANGED Viewed

@@ -57,6 +57,13 @@ export type CustomTokenExchangeOptions = {
    */
   scope?: string;
+  /**
+   * ID or name of the organization to use when authenticating a user.
+   * When provided, the user will be authenticated using the organization context.
+   * The organization ID will be present in the access token payload.
+   */
+  organization?: string;
   /**
    * Additional custom parameters for Auth0 Action processing
    *

package/src/global.ts CHANGED Viewed

@@ -161,9 +161,12 @@ export interface Auth0ClientOptions {
   cache?: ICache;
   /**
-   * If true, refresh tokens are used to fetch new access tokens from the Auth0 server. If false, the legacy technique of using a hidden iframe and the `authorization_code` grant with `prompt=none` is used.
+   * If true, refresh tokens are used to fetch new access tokens from the Auth0 server. If false, the standard technique of using a hidden iframe and the `authorization_code` grant with `prompt=none` is used.
    * The default setting is `false`.
    *
+   * Standard technique relies on cookies. Because browsers increasingly block third-party cookies, it requires a Custom Domain to function reliably. Refresh tokens serve as a fallback for environments where third-party cookies are blocked.
+   * Using a Custom Domain with this set to `false` is the most secure and recommended approach.
+   *
    * **Note**: Use of refresh tokens must be enabled by an administrator on your Auth0 client application.
    */
   useRefreshTokens?: boolean;

package/src/version.ts CHANGED Viewed

	@@ -1 +1 @@
1	- export default '2.10.0';
1	+ export default '2.11.1';