Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
gsandf-auth0-js
Advanced tools
Changelog
Readme
Client Side Javascript toolkit for Auth0 API
We recommend using auth0.js v8 if you need to use API Auth features. For auth0.js v7 code please check the v7 branch, this version will be supported and maintained alongside v8.
Need help migrating from v7? Please check our Migration Guide
From CDN
<!-- Latest patch release (recommended for production) -->
<script src="http://cdn.auth0.com/js/auth0/8.8.0/auth0.min.js"></script>
From bower
bower install auth0-lock
<script src="bower_components/auth0.js/build/auth0.min.js"></script>
From npm
npm install auth0-js
After installing the auth0-js
module, you'll need bundle it up along with all of its dependencies.
Provides support for all the authentication flows
var auth0 = new auth0.WebAuth({
domain: "{YOUR_AUTH0_DOMAIN}",
clientID: "{YOUR_AUTH0_CLIENT_ID}"
});
Parameters:
'example.auth0.com'
or 'example.eu.auth0.com'
.'token'
. Valid values are 'token'
, 'id_token'
and 'token id_token'
.'fragment'
. The parseHash
method can be used to parse authentication responses using fragment response mode.false
./authorize
endpoint to start an authentication/authorization transaction.
Auth0 will call back to your application with the results at the specified redirectUri
.auth0.authorize({
audience: 'https://mystore.com/api/v2',
scope: 'read:order write:order',
responseType: 'token',
redirectUri: 'https://example.com/auth/callback'
});
This method requires that your tokens are signed with RS256. Please check our Migration Guide for more information.
auth0.parseHash(window.location.hash, function(err, authResult) {
if (err) {
return console.log(err);
}
// The contents of authResult depend on which authentication parameters were used.
// It can include the following:
// authResult.accessToken - access token for the API specified by `audience`
// authResult.expiresIn - string with the access token's expiration time in seconds
// authResult.idToken - ID token JWT containing user profile information
auth0.client.userInfo(authResult.accessToken, function(err, user) {
// Now you have the user's information
});
});
callback
with an error if the user does not have an active SSO session at your Auth0 domain.This method can be used to detect a locally unauthenticated user's SSO session status, or to renew an authenticated user's access token.
The actual redirect to /authorize
happens inside an iframe, so it will not reload your application or redirect away from it.
auth0.renewAuth({
audience: 'https://mystore.com/api/v2',
scope: 'read:order write:order',
redirectUri: 'https://example.com/auth/silent-callback',
// this will use postMessage to comunicate between the silent callback
// and the SPA. When false the SDK will attempt to parse the url hash
// should ignore the url hash and no extra behaviour is needed.
usePostMessage: true
}, function (err, authResult) {
// Renewed tokens or error
});
The contents of authResult
are identical to those returned by parseHash()
.
For this request to succeed, the user must have an active SSO session at Auth0 by having logged in through the hosted login page of your Auth0 domain.
Important: this will use postMessage to communicate between the silent callback and the SPA. When false the SDK will attempt to parse the url hash should ignore the url hash and no extra behaviour is needed.
Also important: If you're not using the hosted login page to do social logins, you have to use your own social connection keys. If you use Auth0's dev keys, you'll always get
login_required
as an error when callingrenewAuth
.
It is strongly recommended to have a dedicated callback page for silent authentication in order to avoid loading your entire application again inside an iframe. This callback page should only parse the URL hash and post it to the parent document so that your application can take action depending on the outcome of the silent authentication attempt. For example:
<!DOCTYPE html>
<html>
<head>
<script src="/auth0.js"></script>
<script type="text/javascript">
var auth0 = new auth0.WebAuth({
domain: '{YOUR_AUTH0_DOMAIN}',
clientID: '{YOUR_AUTH0_CLIENT_ID}'
});
auth0.parseHash(window.location.hash, function (err, result) {
parent.postMessage(err || result, 'https://example.com/');
});
</script>
</head>
<body></body>
</html>
Remember to add the URL of the silent authentication callback page to the "Allowed Callback URLs" list of your Auth0 client.
/oauth/token
. This will not initialize a SSO session at Auth0, hence can not be used along with silent authentication.auth0.client.login({
realm: 'Username-Password-Authentication', //connection name or HRD domain
username: 'info@auth0.com',
password: 'areallystrongpassword',
audience: 'https://mystore.com/api/v2',
scope: 'read:order write:order',
}, function(err, authResult) {
// Auth tokens in the result or an error
});
The contents of authResult
are identical to those returned by parseHash()
.
Provides an API client for the Auth0 Authentication API.
var auth0 = new auth0.Authentication({
domain: "{YOUR_AUTH0_DOMAIN}",
clientID: "{YOUR_AUTH0_CLIENT_ID}"
});
/authorize
url in order to initialize a new authN/authZ transaction. https://auth0.com/docs/api/authentication#database-ad-ldap-passive-oauth/token
endpoint with password
grant type. https://auth0.com/docs/api-auth/grant/passwordoauth/token
endpoint with http://auth0.com/oauth/grant-type/password-realm
grant type.oauth/token
endpoint./userinfo
endpoint and returns the user profile.Provides an API Client for the Auth0 Management API (only methods meant to be used from the client with the user token).
var auth0 = new auth0.Management({
domain: "{YOUR_AUTH0_DOMAIN}",
token: "{YOUR_AUTH0_API_TOKEN}"
});
For a complete reference and examples please check our docs and our Migration Guide if you need help to migrate from v7
Run npm start
and point your browser to https://localhost:3000/example
to run the example page.
Run npm run test
to run the test suite.
Run npm run test:watch
to run the test suite while you work.
Run npm run test:coverage
to run the test suite with coverage report.
Run npm run lint
to run the linter and check code styles.
If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
For auth0 related questions/support please use the Support Center.
This project is licensed under the MIT license. See the LICENSE file for more info.
FAQs
Auth0 headless browser sdk
The npm package gsandf-auth0-js receives a total of 1 weekly downloads. As such, gsandf-auth0-js popularity was classified as not popular.
We found that gsandf-auth0-js demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.