The API is largely backwards-compatible.
The "crypto-js" software library has been removed; the native crypto/crypto.subtle module built into the browser is instead used. All modern browsers are expected to support it. If you need to support older browsers, stay with v2.4!
The behavior of merging claims has been improved.
- the following deprecated properties were removed:
clockSkewInSeconds
userInfoJwtIssuer
refreshTokenCredentials
usefetchRequestCredentials
- the
mergeClaims
has been replaced bymergeClaimsStrategy
- if the previous behavior is required,
mergeClaimsStrategy: { array: "merge" }
comes close to it
- if the previous behavior is required,
- default of
response_mode
changed fromquery
→undefined
Ported library from JavaScript to TypeScript. The API is largely backwards-compatible. The support for the deprecated implicit flow has been removed.
- the following properties are now required:
authority
,client_id
,redirect_uri
- the following properties were renamed:
clockSkew
→clockSkewInSeconds
staleStateAge
→staleStateAgeInSeconds
- default of
loadUserInfo
changed fromtrue
→false
- removed
ResponseValidatorCtor
andMetadataServiceCtor
- if necessary,
OidcClient
/UserManager
classes may be extended to alter their behavior
- if necessary,
- restricted
response_type
tocode
flow only. As per OAuth 2.1: PKCE is required for all OAuth clients using the authorizationcode
flow- as in oidc-client 1.x, OAuth 2.0 hybrid flows are not supported
- the property
signingKeys
is unused, unless the MetaDataService with this feature is used outside of this library.
- the following properties were renamed:
accessTokenExpiringNotificationTime
→accessTokenExpiringNotificationTimeInSeconds
silentRequestTimeout
(milliseconds) →silentRequestTimeoutInSeconds
checkSessionInterval
(milliseconds) →checkSessionIntervalInSeconds
revokeAccessTokenOnSignout
→revokeTokensOnSignout
- the following properties have new default values:
automaticSilentRenew
changed fromfalse
→true
validateSubOnSilentRenew
changed fromfalse
→true
includeIdTokenInSilentRenew
changed fromtrue
→false
monitorSession
changed fromtrue
→false
- type of
popupWindowFeatures
changed from a string to a dictionary- additionally, its default dimensions are now responsive to the opener window's
- a new property
revokeTokenTypes: ('access_token' | 'refresh_token')[]
was added- by default,
UserManager
will attempt revoking both token types whenrevokeTokensOnSignout
istrue
. Compared to 1.x, sign out will now fail if revocations fail.
- by default,
- The shorthand for keeping the popup open after the callback with
signoutPopupCallback(true)
is no longer supported. Instead usesignoutPopupCallback(undefined, true)
or preferably,signoutPopupCallback(location.href, true)
. - renamed
revokeAccessToken()
→revokeTokens(types?)
- Compared to 1.x, this function will now throw if any revocation of the
types specified fail. Uses the
revokeTokenTypes
setting when notypes
are passed.
- Compared to 1.x, this function will now throw if any revocation of the
types specified fail. Uses the
- The getter/setters for
Log.level
andLog.logger
have been replaced byLog.setLevel()
andLog.setLogger()
.
- The getter for
User.expired
now returnstrue
whenexpires_at
is set to0
. This wasfalse
in the previous version.