Migrating Angular 1.x applications from Lock v10 to v11
Update the Lock library using npm or yarn.
# installation with npm npm install --save auth0-lock # installation with yarn yarn add auth0-lock
Once updated, you can add it to your build system or bring it in to your project with a script tag.
If you do not want to use a package manager, you can retrieve Lock from Auth0's CDN.
AngularJS (a.k.a. Angular 1.x) applications usually use the angular-lock package. To use Auth0.js v9 you need to update to the latest version (3.x).
You can update the angular-lock library using npm or yarn.
# installation with npm npm install --save angular-lock # installation with yarn yarn add angular-lock
The script files need to be added to your build system, or added to the project with a script tag.
Configure Your Auth0 Client for Embedded Login
When implementing embedded login, Lock v11 will use cross-origin calls inside hidden iframes to perform authentication. To make sure this can be done securely, Auth0 needs to know the domains where you will be hosting your applications.
Add the domain to the Allowed Web Origins field. You can find this field in the Client Settings area of your Dashboard.
Change calls to getProfile()
getProfile() function was reimplemented in Auth0.js v9. The previous implementation received an ID Token as a parameter and returned the user profile.
The new implementation requires an Access Token parameter.
[Optional] Remove the oidcConformant parameter
oidcConformant flag was used in Lock to disable legacy endpoints. Lock 11 never uses these legacy endpoints, so the flag is unnecessary. If specified, it will simply be ignored.
Behavioral Changes in Lock v11
Hosted Login Pages
Auth0.js 9 and Lock v11 are designed for embedded login scenarios and cannot be used when customizing the Hosted Login Page.
If you have customized the Hosted Login Page keep using Auth0.js v8 / Lock v10.
Usage in Popup Mode
When using Popup Mode in previous versions of Lock, a new browser window was opened and immediately closed in order to complete the authentication transaction. In Lock 11 that window is opened on a hidden iframe, providing a better user experience.
Last Time you Logged in With window with Authorization Code Flow
Lock 11 will never show the Last time you logged in with window when using the Authorization Code Flow (i.e. specifying
response_type='code'). It will always prompt for credentials.
If you want to avoid showing the Lock dialog when there's an existing session in the server, you can use Auth0.js's checkSession() function.
Single Sign On Using IP Ranges
In earlier versions of Lock, you could configure an IP range in an Active Directory/LDAP connection. You could then use that range to allow integrated Windows Authentication if the user's IP was within the range. When this was true, Lock would display a button enabling SSO for that user as shown below.
This functionality has been removed from Lock 11. There is no IP detection and the user will get redirected to the Active Directory login page where they will have to type in their credentials. It will still be available when using centralized login.
Lock 11 will default the scope parameter to
'openid profile email'. This is to make the Last time you logged in with window work correctly.
If you don't specify that scope when initializing Lock, and you are running your website from
http://127.0.0.1, you will get the following error in the browser console:
Consent required. When using `getSSOData`, the user has to be authenticated with the following scope: `openid profile email`