💥 Stop making breaking changes

[amcdnl]

Dear Okta Developers and PMs:

This library along with the @okta/okta-signin-widget and @okta/okta-auth-js have been version revving and introducing breaking changes ( for little to no reason ) quite frequently. As a developer, I expect libraries coming from a commercial product to be fairly stable and work together with their other libraries very nicely. At this point, I can't trust this library or the other libraries I have mentioned to work together at all without several iterations of add/remove/revert and this has forced me to lock my versions and not upgrade. I urge you to introduce a beta channel, make sure all the libraries work together before releasing and show a little empathy for the developers using this library.

Sincerely -

Ordinary developer who wants a easy upgrade path

[ryanmr]

I have run into this as well. There's not much indication that @okta/okta-auth-js and @okta/okta-react are somewhat incompatible at this time.

[taylorwilsdon]

Couldn't agree more - it's currently in an unusable state for a developer starting a new project, which I discovered when attempting to deploy a new app based on 5.x for okta-react and okta-auth-js - all the readme documentation is completely wrong now and pieces of okta-react are inherently incompatible with okta-auth-js 5.x despite requiring it!

[mraible]

I hear what y'all are saying. I stumbled upon this issue myself when upgrading to Auth JS 5.0 this morning. It took me a while (and some internal help) to realize that v5.1.1 depends on Auth JS 4.8.0.

https://github.com/okta/okta-react/blob/master/package.json#L43

I did test Okta React 5.1.1 with Auth JS 4.9.0 and proved it works. In case you aren't aware, the Okta CLI provides an easy way to create a React app with the proper dependencies.

okta start react

This pulls from https://github.com/okta-samples/okta-react-sample. I try to update this repo weekly.

[taylorwilsdon]

I hear what y'all are saying. I stumbled upon this issue myself when upgrading to Auth JS 5.0 this morning. It took me a while (and some internal help) to realize that v5.1.1 depends on Auth JS 4.8.0.

https://github.com/okta/okta-react/blob/master/package.json#L43

I did test Okta React 5.1.1 with Auth JS 4.9.0 and proved it works. In case you aren't aware, the Okta CLI provides an easy way to create a React app with the proper dependencies.

okta start react

This pulls from https://github.com/okta-samples/okta-react-sample. I try to update this repo weekly.

Appreciate the update! I think the bulk of the confusion likely stems from the fact that all documentation has you install npm install --save @okta/okta-auth-js without a pinned version separately to use the okta-react library, and the unpinned npm install command grabs the latest version (which is inherently incompatible with the latest version of okta-react) so anyone who is following any of Okta's quickstart guide or even just this repo's README is going to find themselves in a very confusing situation. Either way, looks like the PR is just about to be merged to resolve all of this so it seems like we've got it figured out!

[aarongranick-okta]

@tbarrettwilsdon Thank you for the information. okta-react is "downstream" from okta-auth-js so whenever a new version of okta-auth-js is released there is a moment in time before the downstream SDKs are updated. A version of okta-react that is compatible with okta-auth-js version 5 will be coming soon (internal ref: OKTA-392445) We will also update documentation in the README and quickstart guide.

[kellengreen]

Suddenly making the restoreOriginalUri prop required is a great example of this. Why not make it optional and simply behave as it did prior?

It even could have been temporarily by serving a depreciation notice: prop will soon be required. This way developers would at least be given a heads up to the impending change.

[amcdnl]

Suddenly making therestoreOriginalUri prop required is a great example of this. Why not make it optional and have it behave as it did prior?

It even could have been temporarily by serving a depreciation notice: "this prop will soon be required". This way developers would at least be given a heads up to the impending change.

+1000 to this!

[amcdnl]

@tbarrettwilsdon Thank you for the information. okta-react is "downstream" from okta-auth-js so whenever a new version of okta-auth-js is released there is a moment in time before the downstream SDKs are updated. A version of okta-react that is compatible with okta-auth-js version 5 will be coming soon (internal ref: OKTA-392445) We will also update documentation in the README and quickstart guide.

I understand the dependencies here but it should have never been released until all components are compatible ( or at minimal some sort of error/warning/notification ). This is a commercial product ( despite it being on Github - you prove that by referencing internal tickets and not even merging my pull requests in the past ) - we as developers have to use this thing day in and day out and having bosses asking us why is this not working, we paid $$ for Okta.

[shuowu]

one suggestion is to lock the okta-auth-js module with caret (^) to make sure that both major versions are compatible. Then upgrade both packages together when needed.

Shared from another issue https://github.com/okta/okta-react/issues/119#issuecomment-831914696

We'll also look into patterns to prevent this kind of accidental breaking change (upstream change breaks the downstream without intentionally upgrade) to make the SDK robust.

[ArtyEmsee]

I hear what y'all are saying. I stumbled upon this issue myself when upgrading to Auth JS 5.0 this morning. It took me a while (and some internal help) to realize that v5.1.1 depends on Auth JS 4.8.0.

https://github.com/okta/okta-react/blob/master/package.json#L43

I did test Okta React 5.1.1 with Auth JS 4.9.0 and proved it works. In case you aren't aware, the Okta CLI provides an easy way to create a React app with the proper dependencies.

okta start react

This pulls from https://github.com/okta-samples/okta-react-sample. I try to update this repo weekly.

I just upgraded to react-okta 5.1.1 and my experience was that it did not work with okta-auth-js 4.8.0, I was seeing a typescript error on the oktaAuth object-- but it did work 4.9.0.

[khitrenovich]

I hear what y'all are saying. I stumbled upon this issue myself when upgrading to Auth JS 5.0 this morning. It took me a while (and some internal help) to realize that v5.1.1 depends on Auth JS 4.8.0.

@mraible Not only depends - it is practically pinned there, and you can't really upgrade because you end up with 2 copies of Auth JS in you bundle (see https://github.com/okta/okta-react/issues/114).

[cmacdonnacha]

I just did npm install @okta/okta-auth-js @okta/okta-react which installed

"@okta/okta-auth-js": "^5.0.1",
"@okta/okta-react": "^5.1.2",

After setting up the config I'm getting this error:

AuthSdkError: Passed in oktaAuth is not compatible with the SDK, okta-auth-js version 4.x is the current supported version.

From reading above it sounds like there's some mismatch. Anyone know which versions of both work best together?

[cmacdonnacha]

Suddenly making the restoreOriginalUri prop required is a great example of this. Why not make it optional and simply behave as it did prior?

It even could have been temporarily by serving a depreciation notice: prop will soon be required. This way developers would at least be given a heads up to the impending change.

Would be great to update the docs to add in this new required prop as well: https://developer.okta.com/docs/guides/sign-into-spa/react/configure-the-sdk/

[khitrenovich]

Anyone know which versions of both work best together?

@cmacdonnacha From my experience - pick latest okta-react (v5.1.2) and okta-auth-js v4.8 (due to #114).

[cmacdonnacha]

Anyone know which versions of both work best together?

@cmacdonnacha From my experience - pick latest okta-react (v5.1.2) and okta-auth-js v4.8 (due to #114).

Thank @khitrenovich, I'm going to lock package.json to use these two for now.

[shuowu]

@cmacdonnacha With okta-react v5.1.2, it throws a runtime error if there is a mismatch in versions. See details here.

[chinanderm]

What a mess! 🥴

[DanielJoyce]

Trying to get this sorted, and it seems the typescript defs are out of sync with everything too.

[DanielJoyce]

Trying to use okta-auth-js 5 with okta-react 6

Trying to use the <Security> component results in

Property 'restoreOriginalUri' is missing in type '{ children: Element; oktaAuth: OktaAuthBrowser; }' but required in type '{ oktaAuth: OktaAuthBrowser; restoreOriginalUri: RestoreOriginalUriFunction; onAuthRequired?: OnAuthRequiredFunction | undefined; children?: ReactNode; }'.  

[mraible]

@DanielJoyce I upgraded one of our samples yesterday to use Okta React v6 and Auth JS v5. Maybe it'll help? https://github.com/okta-samples/okta-react-sample/commit/3e8e7cf4e2ace25de2880685ba85360ea79fdba8

You could also test it out with the Okta CLI. Just run okta start react. Here's a video that shows how it works.

[DanielJoyce]

The problem is the typescript definitions are broken which breaks compilation for me. This doesn't make sense to me as the project is using typescript, but it appears the type definitions are not being regenerated when a release is made for this project.

I suspect your build/release system is not properly handling this step.

[cmacdonnacha]

Will okta-react v6 work ok with okta-auth-js v5.2 that was released 3 days ago?

[oleksandrpravosudko-okta]

@cmacdonnacha [email protected] is expected to work fine with okta-react v6 (there seem to be no known issues; I also tried 5.2.0 in custom-login sample app with no errors spotted).

@DanielJoyce TS definitions are emitted and packaged during library build - they should be in sync with package's code. Can you please share code which throws compilation errors?

[DanielJoyce]

They should be, but this ticket implies otherwise:

https://github.com/okta/okta-react/issues/140 Authstate can be null though types implies otherwise

https://github.com/okta/okta-react/issues/119 Same thing, type definitions not matching code, though supposedly rebuilt from code

<Security> component complains with:

Property 'restoreOriginalUri' is missing in type '{ children: Element; oktaAuth: OktaAuthBrowser; }' but required in type '{ oktaAuth: OktaAuthBrowser; restoreOriginalUri: RestoreOriginalUriFunction; onAuthRequired?: OnAuthRequiredFunction | undefined; children?: ReactNode; }'.  

okta-auth-js also has similar problems.

getUserInfo is documented, exists in source, but is missing from the generated types files in a few spots, such as OktaAuth ( docs say it should be on OktaAuth as convenience method, but it's not according to d.ts files )

Okta react 6.0.0

Okta Auth 5.2.0

[DanielJoyce]

Looking at tsconfig json

    "noImplicitAny": false,

[DanielJoyce]

app/App.tsx(85,12):
Property 'restoreOriginalUri' is missing in type '{ children: Element; oktaAuth: OktaAuth; }' but required in type '{ oktaAuth: OktaAuth; restoreOriginalUri: RestoreOriginalUriFunction; onAuthRequired?: OnAuthRequiredFunction | undefined; children?: ReactNode; }'.  TS2741

    83 |       <Router>
    84 |         <Contexts>
  > 85 |           <Security oktaAuth={oktaAuth}>
       |            ^
    86 |             <Switch>
    87 |               <Route path={ROUTES.LOGIN.path} component={AuthView} />
    88 |               <Route path={ROUTES.INDEX.path} component={AppContent} />

This still breaks even I remove the Switch element, thinking that perhaps Security could only wrap routes.

[MassivDash]

I hope Okta team will use this more as a feedback thread than just simple lashing out. I am joined in pain with most developers here.

For me the crucial thing is documenting why new breaking changes are being implemented, Is it because it implements additional security ? Is it because the new version is faster ?

Are there any dangers to using okta 5 or 4 in compre to new version 6 ? What are the benefits of moving to a new version.

If you look at the release schedule, each major break occurred in 3/4 months period. IMO this a bit extreme, unless it's required because of sec reasons, documenting why those changes were implemented should ease off some of the frustrations that people post here.

• Document why major changes are being implemented
• If old methods are secure, leave them with deprecating warnings for at least one major bump
• Create a roadmap for future changes, so devs know what to expect in the future
• The readme doc because of this breaking changes are getting longer and longer, maybe you should separate them into different files.
• Please try to understand that most devs do not have the time to reimplement the authentication method every 3 months (unless required by security issues).

At this moment I am forced to use Okta because it's required by my corp, however because of the dev experience I would not recommend Okta to any developer or organisation.

[DanielJoyce]

Docs need to be kept up to date with releases too. I've definitely run into bugs in docs vs what typescript says.

[DanielJoyce]

Setting strict: true in tsconfig.json points out several areas where authstate being null might not be properly handled.

[DanielRuf]

Does anyone have an example for implicit callback and the exact version numbers which work in combination?

After an upgrade to okta-react v6 and okta-auth-js v5 (both latest releases) authState is null for me.