Skip to content

Add silentAuthResponseMode configuration option #1471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rschick wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add silentAuthResponseMode configuration option #1471

rschick wants to merge 1 commit into from

Conversation

@rschick
Copy link

@rschick rschick commented Nov 25, 2025

Changes

This PR adds a new silentAuthResponseMode configuration option to Auth0ClientOptions that allows developers to choose between 'web_message' (postMessage) and 'query' (URL polling) response modes for silent authentication flows.

What Changed

New Configuration Option (src/global.ts)

  • Added silentAuthResponseMode?: 'web_message' | 'query' to Auth0ClientOptions
  • Defaults to 'web_message' for backward compatibility
  • Only affects getTokenSilently and checkSession methods
  • Other methods (loginWithPopup, loginWithRedirect, getTokenWithPopup) remain unaffected with their hardcoded response modes

Refactored runIframe Function (src/utils.ts)

  • Split runIframe into three functions:
    • runIframeWithWebMessage: Handles postMessage-based communication (existing behavior)
    • runIframeWithQueryMode: New URL polling implementation that checks iframe.contentWindow.location.href every 100ms
    • runIframe: Main delegator function that routes to the appropriate handler
  • Updated signature: runIframe(authorizeUrl, eventOrigin, timeoutInSeconds, responseMode, redirectUri)

Updated Silent Auth Flow (src/Auth0Client.ts)

  • Modified _getTokenFromIFrame method to:
    • Pass silentAuthResponseMode to _prepareAuthorizeUrl
    • Pass silentAuthResponseMode and redirect_uri to runIframe
    • Send the configured response_mode value to Auth0 in the authorization URL

Why This is Important

The 'query' response mode provides a fallback for restrictive environments where postMessage communication may be blocked or limited (e.g., certain enterprise security policies, iframe restrictions). This gives developers more flexibility when implementing silent authentication.

Usage

const auth0 = new Auth0Client({
  domain: 'example.auth0.com',
  clientId: 'YOUR_CLIENT_ID',
  silentAuthResponseMode: 'query' // or 'web_message' (default)
});

// This will now use query mode for silent auth
await auth0.getTokenSilently();

References

Testing

All existing tests have been updated to account for the new 5-parameter runIframe signature.

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of the platform/language

Checklist

@rschick
Add silentAuthResponseMode configuration option
435ab3d 
- Add silentAuthResponseMode option ('web_message' or 'query') for silent auth flows
- Implement URL polling mode in runIframe to support query response mode alongside postMessage
@rschick rschick requested a review from a team as a code owner November 25, 2025 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rschick