okta-react-router-6
v5.0.0
Published
React support for Okta
Downloads
9
Readme
Okta React SDK
Okta React SDK builds on top of the Okta Auth SDK.
This SDK is a toolkit to build Okta integration with many common "router" packages, such as react-router, reach-router, and others.
Users migrating from version 1.x of this SDK that required react-router should see Migrating from 1.x to learn what changes are necessary.
With the Okta Auth SDK, you can:
- Login and logout from Okta using the OAuth 2.0 API
- Retrieve user information
- Determine authentication status
- Validate the current user's session
All of these features are supported by this SDK. Additionally, using this SDK, you can:
- Add "secure" routes, which will require authentication before render
- Define custom logic/behavior when authentication is required
- Provide an instance of the Okta Auth SDK and the latest AuthState to your components using a React Hook or a higher-order component
This SDK does not provide any UI components.
This SDK does not currently support Server Side Rendering (SSR)
This library currently supports:
Getting Started
- If you do not already have a Developer Edition Account, you can create one at https://developer.okta.com/signup/.
- An Okta Application, configured for Single-Page App (SPA) mode. This is done from the Okta Developer Console. When following the wizard, use the default properties. They are are designed to work with our sample applications.
Helpful Links
- React Quickstart
- If you don't have a React app, or are new to React, please start with this guide. It will walk you through the creation of a React app, creating routes, and other application development essentials.
- Okta Sample Application
- A fully functional sample application built using this SDK.
- Okta Guide: Sign users into your single-page application
- Step-by-step guide to integrating an existing React application with Okta login.
- Strategies for Obtaining Tokens
Installation
This library is available through npm.
Install @okta/okta-react
npm install --save @okta/okta-react
Install peer dependencies
npm install --save react
npm install --save react-dom
npm install --save react-router-dom
npm install --save @okta/okta-auth-js
Usage
okta-react
provides the means to connect a React SPA with Okta OIDC information. Most commonly, you will connect to a router library such as react-router.
React-Router components (optional)
okta-react
provides a number of pre-built components to connect a react-router
-based SPA to Okta OIDC information. You can use these components directly, or use them as a basis for building your own components.
- SecureRoute - A normal
Route
except authentication is needed to render the component.
General components
okta-react
provides the necessary tools to build an integration with most common React-based SPA routers.
- Security - Accepts oktaAuth instance (required) and additional configuration as props. This component acts as a React Context Provider that maintains the latest authState and oktaAuth instance for the downstream consumers. This context can be accessed via the useOktaAuth React Hook, or the withOktaAuth Higher Order Component wrapper from it's descendant component.
- LoginCallback - A simple component which handles the login callback when the user is redirected back to the application from the Okta login site.
<LoginCallback>
accepts an optional properrorComponent
that will be used to format the output for any error in handling the callback. This component will be passed anerror
prop that is an error describing the problem. (see the<OktaError>
component for the default rendering)
Users of routers other than react-router
can use useOktaAuth to see if a authState.isPending
is false and authState.isAuthenticated
is true. If both are false, you can send them to login via oktaAuth.signInWithRedirect(). See the implementation of <LoginCallback>
as an example.
Available Hooks
These hooks can be used in a component that is a descendant of a Security
component (<Security>
provides the necessary context). Class-based components can gain access to the same information via the withOktaAuth
Higher Order Component, which provides oktaAuth
and authState
as props to the wrapped component.
- useOktaAuth - gives an object with two properties:
oktaAuth
- the Okta Auth SDK instance.authState
- the AuthState object that shows the current authentication state of the user to your app
Minimal Example in React Router
Create Routes
This example defines 3 routes:
- / - Anyone can access the home page
- /protected - Protected is only visible to authenticated users
- /login/callback - This is where auth is handled for you after redirection
Note: Make sure you have the /login/callback
url (absolute url) added in your Okta App's configuration.
A common mistake is to try and apply an authentication requirement to all pages, THEN add an exception for the login page. This often fails because of how routes are evaluated in most routing packages. To avoid this problem, declare specific routes or branches of routes that require authentication without exceptions.
Creating React Router Routes with class-based components
// src/App.js
import React, { Component } from 'react';
import { BrowserRouter as Router, Route, Routes } from 'react-router-dom';
import { SecureRoute, Security, LoginCallback } from '@okta/okta-react';
import { OktaAuth } from '@okta/okta-auth-js';
import Home from './Home';
import Protected from './Protected';
const oktaAuth = new OktaAuth({
issuer: 'https://{yourOktaDomain}.com/oauth2/default',
clientId: '{clientId}',
redirectUri: window.location.origin + '/login/callback'
});
class App extends Component {
render() {
return (
<Router>
<Security oktaAuth={oktaAuth}>
<Routes>
<Route path='/' element={<Home />}/>
<SecureRoute path='/protected/*' element={<Protected />}/>
<Route path='/implicit/callback' element={<LoginCallback />} />
</Routes>
</Security>
</Router>
);
}
}
export default App;
Creating React Router Routes with function-based components
import React from 'react';
import { SecureRoute, Security, LoginCallback } from '@okta/okta-react';
import { OktaAuth } from '@okta/okta-auth-js';
import Home from './Home';
import Protected from './Protected';
const oktaAuth = new OktaAuth({
issuer: 'https://{yourOktaDomain}.com/oauth2/default',
clientId: '{clientId}',
redirectUri: window.location.origin + '/login/callback'
});
const App = () => (
<Router>
<Security oktaAuth={oktaAuth}>
<Routes>
<Route path='/' element={<Home />}/>
<SecureRoute path='/protected/*' element={<Protected />}/>
<Route path='/implicit/callback' element={<LoginCallback />} />
</Routes>
</Security>
</Router>
);
export default App;
Show Login and Logout Buttons (class-based)
// src/Home.js
import React, { Component } from 'react';
import { withOktaAuth } from '@okta/okta-react';
export default withOktaAuth(class Home extends Component {
constructor(props) {
super(props);
this.login = this.login.bind(this);
this.logout = this.logout.bind(this);
}
async login() {
this.props.oktaAuth.signInWithRedirect();
}
async logout() {
this.props.oktaAuth.signOut('/');
}
render() {
if (this.props.authState.isPending) return <div>Loading...</div>;
return this.props.authState.isAuthenticated ?
<button onClick={this.logout}>Logout</button> :
<button onClick={this.login}>Login</button>;
}
});
Show Login and Logout Buttons (function-based)
// src/Home.js
const Home = () => {
const { oktaAuth, authState } = useOktaAuth();
const login = async () => oktaAuth.signInWithRedirect('/');
const logout = async () => oktaAuth.signOut('/');
if(authState.isPending) {
return <div>Loading...</div>;
}
if(!authState.isAuthenticated) {
return (
<div>
<p>Not Logged in yet</p>
<button onClick={login}>Login</button>
</div>
);
}
return (
<div>
<p>Logged in!</p>
<button onClick={logout}>Logout</button>
</div>
);
};
export default Home;
Use the Access Token (class-based)
When your users are authenticated, your React application has an access token that was issued by your Okta Authorization server. You can use this token to authenticate requests for resources on your server or API. As a hypothetical example, let's say you have an API that provides messages for a user. You could create a MessageList
component that gets the access token and uses it to make an authenticated request to your server.
Here is what the React component could look like for this hypothetical example:
import fetch from 'isomorphic-fetch';
import React, { Component } from 'react';
import { withOktaAuth } from '@okta/okta-react';
export default withOktaAuth(class MessageList extends Component {
constructor(props) {
super(props)
this.state = {
messages: null
}
}
async componentDidMount() {
try {
const response = await fetch('http://localhost:{serverPort}/api/messages', {
headers: {
Authorization: 'Bearer ' + this.props.authState.accessToken
}
});
const data = await response.json();
this.setState({ messages: data.messages });
} catch (err) {
// handle error as needed
}
}
render() {
if (!this.state.messages) return <div>Loading...</div>;
const items = this.state.messages.map(message =>
<li key={message}>{message}</li>
);
return <ul>{items}</ul>;
}
});
Use the Access Token (function-based)
When your users are authenticated, your React application has an access token that was issued by your Okta Authorization server. You can use this token to authenticate requests for resources on your server or API. As a hypothetical example, let's say you have an API that provides messages for a user. You could create a MessageList
component that gets the access token and uses it to make an authenticated request to your server.
Here is what the React component could look like for this hypothetical example:
import fetch from 'isomorphic-fetch';
import React, { useState, useEffect } from 'react';
import { useOktaAuth } from '@okta/okta-react';
export default MessageList = () => {
const { authState } = useOktaAuth();
const [messages, setMessages] = useState(null);
useEffect( () => {
if(authState.isAuthenticated) {
const apiCall = async () => {
try {
const response = await fetch('http://localhost:{serverPort}/api/messages', {
headers: {
Authorization: 'Bearer ' + authState.accessToken.accessToken
}
});
const data = await response.json();
setMessages( data.messages );
} catch (err) {
// handle error as needed
}
}
apiCall();
}
}, [authState] );
if (!messages) return <div>Loading...</div>;
const items = messages.map(message =>
<li key={message}>{message}</li>
);
return <ul>{items}</ul>;
};
Reference
Security
<Security>
is the top-most component of okta-react. It accepts oktaAuth instance and addtional configuration options as props.
oktaAuth
(required) The pre-initialized oktaAuth instance. See Configuration Reference for details of how to initialize the instance.
onAuthRequired
(optional) Callback function. Called when authentication is required. If this is not supplied, okta-react
redirects to Okta. This callback will receive oktaAuth instance as the first function parameter. This is triggered when a SecureRoute is accessed without authentication. A common use case for this callback is to redirect users to a custom login route when authentication is required for a SecureRoute.
Example
import { useNavigate, Route, Routes, BrowserRouter as Router } from 'react-router-dom';
import { OktaAuth } from '@okta/okta-auth-js';
const oktaAuth = new OktaAuth({
issuer: 'https://{yourOktaDomain}.com/oauth2/default',
clientId: '{clientId}',
redirectUri: window.location.origin + '/login/callback'
});
export default App = () => {
const navigate = useNavigate();
const customAuthHandler = (oktaAuth) => {
// Redirect to the /login page that has a CustomLoginComponent
// This example is specific to React-Router
navigate('/login');
};
return (
<Router>
<Security
oktaAuth={oktaAuth}
onAuthRequired={customAuthHandler}
>
<Routes>
<Route path='/login' element={<CustomLoginComponent />}>
{/* some routes here */}
</Routes>
</Security>
</Router>
);
};
PKCE Example
Assuming you have configured your application to allow the Authorization code
grant type, you can implement the PKCE flow with the following steps:
- Initialize [oktaAuth](Okta Auth SDK) instance (with default PKCE configuration as
true
) and pass it to theSecurity
component. - add
/login/callback
route with LoginCallback component to handle login redirect from OKTA.
import { OktaAuth } from '@okta/okta-auth-js';
import { Router, Route, Routes } from 'react-router-dom';
const oktaAuth = new OktaAuth({
issuer: 'https://{yourOktaDomain}.com/oauth2/default',
clientId: '{clientId}',
redirectUri: window.location.origin + '/login/callback',
});
class App extends Component {
render() {
return (
<Router>
<Security oktaAuth={oktaAuth}>
<Routes>
<Route path='/' element={<Home />}/>
<Route path='/login/callback' element={<LoginCallback />} />
</Routes>
</Security>
</Router>
);
}
}
SecureRoute
SecureRoute
ensures that a route is only rendered if the user is authenticated. If the user is not authenticated, it calls onAuthRequired if it exists, otherwise, it redirects to Okta.
SecureRoute
accepts onAuthRequired
as an optional prop, it overrides onAuthRequired from the Security component if exists.
SecureRoute
integrates with react-router
. Other routers will need their own methods to ensure authentication using the hooks/HOC props provided by this SDK.
As with Route
from react-router-dom
v6, <SecureRoute>
can take one of:
- a
element
prop that is passed a component - children components
LoginCallback
LoginCallback
handles the callback after the redirect to and back from the Okta-hosted login page. By default, it parses the tokens from the uri, stores them, then redirects to /
. If a SecureRoute
caused the redirect, then the callback redirects to the secured route. For more advanced cases, this component can be copied to your own source tree and modified as needed.
withOktaAuth
withOktaAuth
is a higher-order component which injects an oktaAuth instance and an authState object as props into the component. Function-based components will want to use the useOktaAuth
hook instead. These props provide a way for components to make decisions based on authState or to call Okta Auth SDK methods, such as .signInWithRedirect()
or .signOut()
. Components wrapped in withOktaAuth()
need to be a child or descendant of a <Security>
component to have the necessary context.
useOktaAuth
useOktaAuth()
is a React Hook that returns an object containing the authState object and the oktaAuth instance. Class-based components will want to use the withOktaAuth HOC instead. Using this hook will trigger a re-render when the authState object updates. Components calling this hook need to be a child or descendant of a <Security>
component to have the necessary context.
Using useOktaAuth
import React from 'react';
import { useOktaAuth } from '@okta/okta-react';
export default MyComponent = () => {
const { authState } = useOktaAuth();
if( authState.isPending ) {
return <div>Loading...</div>;
}
if( authState.isAuthenticated ) {
return <div>Hello User!</div>;
}
return <div>You need to login</div>;
};
Migrating between versions
Migrating from 3.x to 4.x
Updating the Security component
From version 4.0, the Security component starts to explicitly accept oktaAuth instance as prop to replace the internal authService
instance. You will need to replace the Okta Auth SDK related configurations with a pre-initialized oktaAuth instance.
Note
@okta/okta-auth-js
is now a peer dependency for this SDK. You must add@okta/okta-auth-js
as a dependency to your project and install it separately from@okta/okta-react
.<Security>
still accept onAuthRequired as a prop.
import { OktaAuth } from '@okta/okta-auth-js';
import { Security } from '@okta/okta-react';
const oktaAuth = new OktaAuth(oidcConfig);
export default () => (
<Security oktaAuth={oktaAuth} onAuthRequired={customAuthHandler}>
// children component
</Security>
);
Replacing authService instance
The authService
module has been removed since version 4.0. The useOktaAuth hook and withOktaAuth HOC are exposing oktaAuth
instead of authService
.
Replace
authService
withoktaAuth
when use useOktaAuthimport { useOktaAuth } from '@okta/okta-react'; export default () => { const { oktaAuth, authState } = useOktaAuth(); // handle rest component logic };
Replace
props.authService
withprops.oktaAuth
when use withOktaAuthimport { withOktaAuth } from '@okta/okta-react'; export default withOktaAuth((props) => { // use props.oktaAuth });
Replacing authService public methods
The oktaAuth
instance exposes similar public methods to handle logic for the removed authService
module.
login
is removedThis method called
onAuthRequired
, if it was set in the config options, orredirect
if noonAuthRequired
option was set. If you had code that was calling this method, you may either call youronAuthRequired
function directly orsignInWithRedirect
.redirect
is replaced bysignInWithRedirect
logout
is replaced bysignOut
logout
accepted either a string or an object as options. signOut accepts only an options object.If you had code like this:
authService.logout('/goodbye');
it should be rewritten as:
oktaAuth.signOut({ postLogoutRedirectUri: window.location.origin + '/goodbye' });
Note that the value for
postLogoutRedirectUri
must be an absolute URL. This URL must also be on the "allowed list" in your Okta app's configuration. If no options are passed or nopostLogoutRedirectUri
is set on the options object, it will redirect towindow.location.origin
after sign out is complete.getAccessToken
andgetIdToken
have been changed to synchronous methodsWith maintaining in-memory AuthState since Okta Auth SDK version 4.1, token values can be accessed in synchronous manner.
handleAuthentication
is replaced byhandleLoginRedirect
handleLoginRedirect
is called by theOktaLoginCallback
component as the last step of the login redirect authorization flow. It will obtain and store tokens and then callrestoreOriginalUri
which will return the browser to theoriginalUri
which was set before the login redirect flow began.authState
related methods have been collected in Okta Auth SDK AuthStateManager- Change
authService.updateAuthState
tooktaAuth.authStateManager.updateAuthState
- Change
authService.getAuthState
tooktaAuth.authStateManager.getAuthState
- Change
on
tooktaAuth.authStateManager.subscribe
clearAuthState
,emitAuthState
andemit
have been removed
- Change
By default
isAuthenticated
will be true if both accessToken and idToken are validIf you have a custom
isAuthenticated
function which implements the default logic, you should remove it.getTokenManager
has been removedYou may access the
TokenManager
with thetokenManager
property:const tokens = oktaAuth.tokenManager.getTokens();
Migrating from 2.x to 3.x
See breaking changes for version 3.0
Migrating from 1.x to 2.0
The 1.x series for this SDK required the use of react-router. These instructions assume you are moving to version 2.0 of this SDK and are still using React Router (v5+)
Replacing Security component
The <Security>
component is now a generic (not router-specific) provider of Okta context for child components and is required to be an ancestor of any components using the useOktaAuth
hook, as well as any components using the withOktaAuth
Higher Order Component.
Auth.js
has been renamed AuthService.js
.
The auth
prop to the <Security>
component is now authService
. The other prop options to <Security>
have not changed from the 1.x series to the 2.0.x series
Replacing the withAuth Higher-Order Component wrapper
This SDK now provides authentication information via React Hooks (see useOktaAuth). If you want a component to receive the auth information as a direct prop to your class-based component, you can use the withOktaAuth
wrapper where you previously used the withAuth
wrapper. The exact props provided have changed to allow for synchronous access to authentication information. In addition to the authService
object prop (previously auth
), there is also an authState
object prop that has properties for the current authentication state.
Replacing .isAuthenticated()
, .getAccessToken()
, and .getIdToken()
inside a component
Two complications of the 1.x series of this SDK have been simplified in the 2.x series:
- These functions were asynchronous (because the retrieval layer underneath them can be asynchronous) which made avoiding race conditions in renders/re-renders tricky.
- Recognizing when authentication had yet to be decided versus when it had been decided and was not authenticated was an unclear difference between
null
,true
, andfalse
.
To resolve these the authService
object holds the authentication information and provides it synchronously (following the first async determination) as an authState
object. While waiting on that first determination, the authState
object has an explicit .isPending
property. When the authentication updates the authService object will emit an authStateChange
event after which a new authState object is available.
Any component that was using withAuth()
to get the auth
object and called the properties above has two options to migrate to the new SDK:
- Replace the use of
withAuth()
with withOktaAuth(), and replace any of these asynchronous calls to theauth
methods with the values of the related authState properties. OR - Remove the use of
withAuth()
and instead use the useOktaAuth() React Hook to get the authService and authState objects. Any use of theauth
methods (.isAuthenticated()
,.getAccessToken()
, and.getIdToken()
) should change to use the already calculated properties of authState.
To use either of these options, your component must be a descendant of a <Security>
component, in order to have the necessary context.
These changes should result in less complexity within your components as these values are now synchronously available after the initial determination.
If you need access to the authService
instance directly, it is provided by withOktaAuth() as a prop or is available via the useOktaAuth() React Hook. You can use the examples in this README to see how to use authService to perform common tasks such as login/logout, or inspect the provided <LoginCallback>
component to see an example of the use of the authService
managing the redirect from the Okta site.
Updating your ImplicitCallback component
- If you were using the provided ImplicitCallback component, you can replace it with
LoginCallback
- If you were using a modified version of the provided ImplicitCallback component, you will need to examine the new version to see the changes. It may be easier to start with a copy of the new LoginCallback component and copy your changes to it. If you want to use a class-based version of LoginCallback, wrap the component in the [withOktaAuth][] HOC to have the authService and authState properties passed as props.
- If you had your own component that handled the redirect-back-to-the-application after authentication, you should examine the new LoginCallback component as well as the notes in this migration section about the changes to
.isAuthenticated()
,.getAccessToken()
, and.getIdToken()
.
Contributing
We welcome contributions to all of our open-source packages. Please see the contribution guide to understand how to structure a contribution.
Development
Installing dependencies for contributions
We use yarn for dependency management when developing this package:
yarn install
Commands
| Command | Description |
|--------------|------------------------------------|
| yarn install
| Install dependencies |
| yarn start
| Start the sample app using the SDK |
| yarn test
| Run unit and integration tests |
| yarn lint
| Run eslint linting tests |