v9 -> v10-rc.X

v10 is still in relase candidate.

vite.config.ts

  oidcSpa({
    browserRuntimeFreeze: { enabled: true },
    tokenSubstitution: {
        enabled: true,
-       trustedThirdPartyResourceServers: ["s3.amazonaws.com"],
+       trustedExternalResourceServers: [
+           "*.{{location.hostname.split('.').slice(-2).join('.')}}",
+           "s3.amazonaws.com"
+       ]
    },
+   DPoP: { mode: "auto" /* or "enforced" */}
});

 createOidc({ // or bootstrapOidc({
     // ...
-    dpop: "auto"
 })

src/main.ts

 import { oidcEarlyInit } from "oidc-spa/entrypoint";
-import { enableTokenSubstitution } from "oidc-spa/token-substitution";
+import { browserRuntimeFreeze } from 'oidc-spa/browser-runtime-freeze';
+import { DPoP } from 'oidc-spa/DPoP';
+import { tokenSubstitution } from 'oidc-spa/token-substitution';
 
 const { shouldLoadApp } = oidcEarlyInit({
-   browserRuntimeFreeze: { enabled: true },
-   extraDefenseHook: () => {
-       enableTokenSubstitution({
-           trustedThirdPartyResourceServers: ["s3.amazonaws.com"]
-       });
-   }
+  securityDefenses: {
+    ...browserRuntimeFreeze({
+      //exclude: [ "fetch", "XMLHttpRequest", "Promise"]
+    }),
+    ...DPoP({ mode: 'auto' }),
+    ...tokenSubstitution({
+      trustedExternalResourceServers: [
+        "s3.amazonaws.com",
+        `*.${location.hostname.split('.').slice(-2).join('.')}`,
+      ],
+    }),
+  }
 });

 createOidc({ // or bootstrapOidc({
     // ...
-    dpop: "auto"
 })

Takeways:

trustedThirdPartyResourceServers renamed to trustedExternalResourceServers
If you want trust same site origins (*.my-domain.com) you should state it explicitely with "*.{{location.hostname.split('.').slice(-2).join('.')}}" (Previously it was enabled by default).
DPoP is now globally enabled, not on a per OIDC client instance basis.

Nextv8 -> v9

Last updated 4 days ago

Was this helpful?