Ported library from JavaScript to TypeScript. The API is largely backwards-compatible. The support for the deprecated implicit flow has been removed.
- the following properties are now required:
authority
,client_id
,redirect_uri
- the following properties were renamed:
clockSkew
→clockSkewInSeconds
staleStateAge
→staleStateAgeInSeconds
- default of
loadUserInfo
changed fromtrue
→false
- removed
ResponseValidatorCtor
andMetadataServiceCtor
- if necessary
OidcClient
/UserManager
classes may be extended to alter their behavior
- if necessary
- restricted
response_type
tocode
flow only. As per OAuth 2.1: PKCE is required for all OAuth clients using the authorizationcode
flow- as in oidc-client 1.x, OAuth 2.0 hybrid flows are not supported
- the property
signingKeys
is unused, unless the MetaDataService with this feature is used outside of this library.
- the following properties were renamed:
accessTokenExpiringNotificationTime
→accessTokenExpiringNotificationTimeInSeconds
silentRequestTimeout
(milliseconds) →silentRequestTimeoutInSeconds
checkSessionInterval
(milliseconds) →checkSessionIntervalInSeconds
revokeAccessTokenOnSignout
→revokeTokensOnSignout
- the following properties have new default values:
automaticSilentRenew
changed fromfalse
→true
validateSubOnSilentRenew
changed fromfalse
→true
includeIdTokenInSilentRenew
changed fromtrue
→false
monitorSession
changed fromtrue
→false
- type of
popupWindowFeatures
changed from a string to a dictionary- additionally, its default dimensions are now responsive to the opener window's
- a new property
revokeTokenTypes: ('access_token' | 'refresh_token')[]
was added- by default,
UserManager
will attempt revoking both token types whenrevokeTokensOnSignout
istrue
. Compared to 1.x, sign out will now fail if revocations fail.
- by default,
- The shorthand for keeping the popup open after the callback with
signoutPopupCallback(true)
is no longer supported. Instead usesignoutPopupCallback(undefined, true)
or preferably,signoutPopupCallback(location.href, true)
. - renamed
revokeAccessToken()
→revokeTokens(types?)
- Compared to 1.x, this function will now throw if any revocation of the
types specified fail. Uses the
revokeTokenTypes
setting when notypes
are passed.
- Compared to 1.x, this function will now throw if any revocation of the
types specified fail. Uses the
- The getter/setters for
Log.level
andLog.logger
have been replaced byLog.setLevel()
andLog.setLogger()
.
- The getter for
User.expired
now returnstrue
whenexpires_at
is set to0
. This wasfalse
in the previous version.