This article highlights some of the major changes and updates to the Lock SDK over the years.

• Lock SDK
• Customize Login Page (Classic Universal Login)
• Custom Domain
• Cross-Origin Authentication

It's recommended that customers migrate away from Lock's two main use cases:

• Cross-Origin Authentication
• Customized Login Pages with Classic Universal Login 

However, if Lock is still being used, keep in mind that when using the Customize Login Page feature (where the login page is hosted at /login instead of /u/login), the Lock SDK version does not automatically update, and many new features are not implemented in old Lock SDK versions.

NOTE: To ensure the latest Lock SDK version is always in use, check the Auth0 Lock SDK Releases page.

Auth0 Lock SDK: Key Changes Across All Versions

Version 11.x

• Cross-origin authentication and Custom Domains: Version 11 supports custom domains with cross-origin authentication.
• Passwordless Mode: Version 11.2.0 allows for authentication via a one-time code or a "magic link". 
• Security Enhancements:
  • HTML Stripping from Signup Fields (v11.33.0): To prevent potential XSS attacks, all HTML tags are stripped from user input in custom signup fields.
  • Recaptcha Enterprise Support (v11.30.0): Added support for Google's Recaptcha Enterprise.

Version 12.x

• Lock (v12.0.0) is now built with React 18, resolving several security vulnerabilities and improving performance. Also, version 12 is completely API-compatible with version 11. 
• Enhanced CAPTCHA Support: This version introduced support for a variety of CAPTCHA providers to improve security, including:
  • hCaptcha and Friendly Captcha (v12.1.0) 
  • Arkose (v12.3.0) 
  • Auth0 v2 captcha provider (v12.4.0)
• Distribution Change (v12.0.0): Bower support was dropped. 

Version 14.x

• Dropped Internet Explorer Support(v14.0.0): Support for Internet Explorer was officially removed in this version.

Version 10.x

A significant change was introduced in Lock v10 and continued in all subsequent versions (v11, v12, and newer). The authParams option at the root of the Lock configuration object was deprecated and moved inside the auth object under the key params.

Prior to Lock v10, authentication parameters (like scope, state, or any custom parameters needed to be sent to the /authorize endpoint) were passed via an authParams object at the root of the Lock options.

Before (Lock v9 and older):

var options = {
  // ... other options
  authParams: {
    scope: 'openid email profile',
    state: 'YOUR_CUSTOM_STATE'
  }
};

var lock = new Auth0Lock(clientID, domain, options);

Starting with Lock v10, these parameters were consolidated and moved into an params object, which itself resides within the main auth configuration object. This was done to group all authentication-related settings together for better organization and clarity.

After (Lock v10 and newer):

var options = {
  //... other options
  auth: {
    redirectUrl: 'YOUR_CALLBACK_URL',
    responseType: 'code', // Or 'token'
    params: {
      scope: 'openid email profile', // This replaces the old authParams
      state: 'YOUR_CUSTOM_STATE'
    }
  }
};

var lock = new Auth0Lock(clientID, domain, options);

Related References

• Auth0 Lock SDK Releases
• Lock Authentication Parameters