Skip to content

feat: add support for Online Access (Online Refresh Tokens)#1133

Draft
NandanPrabhu wants to merge 3 commits into
mainfrom
feat/online-access
Draft

feat: add support for Online Access (Online Refresh Tokens)#1133
NandanPrabhu wants to merge 3 commits into
mainfrom
feat/online-access

Conversation

@NandanPrabhu

Copy link
Copy Markdown

Summary

Adds full support for Online Access (Online Refresh Tokens / ORTs) in auth0-react, mirroring the underlying auth0-spa-js feature.

Most of the configuration surface (refreshTokenMode, useDpop, useMrrt, useRefreshTokens) already passed through automatically via Auth0Provider's existing Auth0ClientOptions spread — no changes needed there. The one real gap was revokeRefreshToken(), which didn't exist anywhere in the SDK.

Changes

  • Added revokeRefreshToken(options?) to Auth0ContextInterface, exposed via useAuth0()
  • Implemented in Auth0Provider as a useCallback that calls client.revokeRefreshToken() then re-syncs isAuthenticated/user via client.getUser() — correctly reflects both online-mode session clearing and offline-mode no-op behavior
  • Exported RefreshTokenMode, InvalidConfigurationError, MissingScopesError, RevokeRefreshTokenOptions from the package root
  • Updated the Auth0Client Jest mock
  • 6 new tests covering config passthrough, method availability, options forwarding, online/offline state behavior, and error propagation
  • New "Online Access (Online Refresh Tokens)" section in EXAMPLES.md

Usage

import { useAuth0, RefreshTokenMode } from '@auth0/auth0-react';

<Auth0Provider
  domain={domain}
  clientId={clientId}
  useRefreshTokens={true}
  refreshTokenMode={RefreshTokenMode.Online}
  useDpop={true}
  authorizationParams={{ redirect_uri: window.location.origin }}
>
  <App />
</Auth0Provider>
const { revokeRefreshToken } = useAuth0();
await revokeRefreshToken();

Testing

  • All tests pass (npx jest --no-coverage — 144 tests)
  • npx tsc --noEmit — zero TypeScript errors
  • npm run lint — zero errors/warnings
  • Built against a local, linked copy of auth0-spa-js and smoke-tested RefreshTokenMode/revokeRefreshToken resolve correctly

This is a draft PR pending final review.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 38f61588-6490-4169-ab71-70dda598fc2b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/online-access

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Adds revokeRefreshToken() to the useAuth0 hook, wrapping the underlying
Auth0Client method and keeping isAuthenticated/user in sync after the call.
This is the one gap in Online Access support — refreshTokenMode, useDpop,
and useMrrt already pass through Auth0Provider's existing Auth0ClientOptions
config surface.

Also exports RefreshTokenMode, InvalidConfigurationError, MissingScopesError,
and RevokeRefreshTokenOptions from the package root, and documents the
feature in EXAMPLES.md.
Online Access (Online Refresh Tokens) is gated behind Auth0 account team
enablement. Adds the same Early Access notice used for the MFA section.
RefreshTokenMode is not exported until 2.23.0 — the previous ^2.22.0
range let installs resolve to an older minor where RefreshTokenMode is
undefined, breaking refreshTokenMode: RefreshTokenMode.Online at runtime.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant