The Auth0 team released the new Auth0 Single Page App SDK v2.0, and it's now available in the npm registry. It is a major new release with a focus on development and user experience.
The new release makes an important step towards improving usability and reducing the footprint (size) of the SDK.
Quick Start with the New SDK
You can follow the quick start guide if you build a new application or connect your SPA with Auth0 using the SDK for the first time.
If you use frameworks such as React, Angular, or Vue, you can use framework-specific libraries instead. You can learn more about specific frameworks in our SPA guides section.
All of the mentioned improvements will be available in the next beta versions of our framework-specific SDKs. Be sure to keep an eye on them to be notified when their beta versions are available.
Migrating from v1.x
With the improvements from v1.x, it was necessary to introduce some breaking changes. We will cover the most impactful changes in this post, but we recommend reviewing the migration guide for the details of all breaking changes and their corresponding migration path.
Reduced Bundle Size by 60%
Auth0 SPA SDK V1.x shipped with built-in polyfills to compensate for the lack of native support on some browsers for features such as:
As the above APIs are now available for most browsers, we believe there's no more need to include those polyfills. Primarily users of IE11 would require them, and with Microsoft dropping support for IE11, we believe it makes sense to capitalize on the gains and drop support for IE11 as of V2.
By removing these polyfills, and with some small improvements on our side, we reduced the bundle size by an outstanding 60%.
Such a reduction will allow for faster download and processing times for application users.
API Consistency
Our SDK offers a variety of settings that can be divided into two categories:
- Properties used to configure our SDK
- Properties used solely to pass through to Auth0
In v1.x, passing both types of properties to the SDK was possible when instantiating a new
Auth0Client
. Because the different types of arguments were differentiated only by the case (camel vs. snake case), with no additional separation in the object argument, it wasn't very evident what arguments were SDK properties and which ones were authorization parameters.Here is an example of what setting such options on v1.x looks like:
const client = new Auth0Client({ client_id: '...', useRefreshTokens: true, useRefreshTokensFallback: false, redirect_uri: '...', custom_param: '...', screen_hint: 'signup' });
With v2, we are ensuring the distinction between the two categories is clear by putting any property solely used to pass through to Auth0 in a property bag named
authorizationParams
. On top of that, any property outside of authorizationParams
will now be using camel casing.Here is what the configuration looks like in v2:
const client = new Auth0Client({ clientId: '...', // <= camelCasing useRefreshTokens: true, useRefreshTokensFallback: false, authorizationParams: { // <= new property bag redirect_uri: '...', // <= moved into authorizationParams custom_param: '...', // <= moved into authorizationParams screen_hint: 'signup' // <= moved into authorizationParams } });
localOnly
Logout
localOnly
In v1.x of the SDK, it was possible to pass a
localOnly
when calling logout
. In the current release, we dropped the localOnly
argument in favor of a new onRedirect
event that allows for more control, including the possibility of not redirecting, and thus produces the same effect the localOnly
property intended.To replicate the
localOnly
behavior, you can implement the following:await client.logout({ onRedirect: async (url) => { // Do not do anything // Or do something else but redirecting } })
Removed buildAuthorizeUrl
and buildLogoutUrl
buildAuthorizeUrl
buildLogoutUrl
In v1.x, it was possible to use the methods
buildAuthorizeUrl
and buildLogoutUrl
for applications that couldn't rely on window.location.assign
to redirect to Auth0 when calling loginWithRedirect
or logout
respectively. A typical example of this was when developers needed to set a specific URL in the context of a mobile application using frameworks such as Ionic.In v2, developers would rely on
onRedirect
to specify such behavior.For example:
await client.loginWithRedirect({ async onRedirect(url) { // Redirect using Capacitor's Browser plugin await Browser.open({ url }); } });
getUser
and getIdTokenClaims
getUser
getIdTokenClaims
As part of our optimization efforts, we reworked the SDK's internal cache to store tokens. Consequently, it was possible to simplify the methods
getUser
and getIdTokenClaims
.In v1.x, developers could pass a specific scope and audience when calling either of those functions.
Here are some examples of how these functions were used in v1:
const user = await getUser(); const user = await getUser({ audience, scope }); const claims = await getIdTokenClaims(); const claims = await getIdTokenClaims({ audience, scope });
However, as an application should only have one user, such parameters wouldn't be required. So from v2, we dropped those parameters and simplified the methods to:
const user = await getUser(); const claims = await getIdTokenClaims();
Retrieve a Token from the Cache
With v2, we are introducing the possibility of retrieving a token from the cache without contacting Auth0 if no entry is found. To achieve that, we reworked the already existing
ignoreCache
argument for getTokenSilently
, which takes a boolean, to cacheMode
, which can accept three values:- on (default value): Use the cache, but call the
endpoint when no entry is found. This is the equivalent of whenoauth/token
was omitted or its value was set to false in v1.ignoreCache
- off: Do not use the cache, always call the
endpoint. This is the equivalent ofoauth/token
in v1.ignoreCache: true
- cache-only: Use the cache, do not call the
endpoint when no entry is found.oauth/token
To use our SDK and see if we have a token in the cache without contacting Auth0, you must set
cacheMode
to cache-only
when calling getTokenSilently
.const token = await client.getTokenSilently({ cacheMode: 'cache-only' });
URL Encoded Form Data
V1 of SPA-JS defaults to sending payloads using JSON when calling Auth0's
oauth/token
endpoint, but users can opt-in to send the data as x-www-form-urlencoded
instead.With the release of v2, we will default to sending the requests to the
oauth/token
endpoint using x-www-form-urlencoded
, while users can opt-in to using JSON as needed. Using x-www-form-urlencoded
has shown to have a small performance optimization and aligns more with what the spec describes.Summary
The Auth0 Single Page App SDK v2 improves both the developer and the user experience. On the one hand, it simplifies and makes working with the SDK API easier. On the other hand, it reduces the bundle size, which translates into faster downloads and processing times.
Thanks for reading!
About the author
Juan Cruz Martinez
Staff Developer Advocate