How to pass custom parameter to a custom OAuth2 connection?

I want to pass some additional parameter to the identity provider through Auth0. In my scenario the identity provider is controlled by me, added through Custom Social Connections extension.

It is noted in the docs that social login (/authorize) have an additional-parameter parameter which we can use to pass extra parameters to our identity provider. However I am not able to get this working.

For example when I hit:

https://skedulo.au.auth0.com/authorize?client_id=[some client id]&response_type=id_token token&redirect_uri=[some redir url]&connection=MyCustomConnection&sso=true&nonce=[random nounce]&state=1dvl1U5rf~veR47RJ-ZVJSMRI.Kn479B&audience=[my API]&scope=openid&redirect_url=https://localhost:8888&auth0Client=eyJuYW1lIjoibG9jay5qcyIsInZlcnNpb24iOiIxMC4xNC4wIiwibGliX3ZlcnNpb24iOiI4LjUuMCJ9&additional-parameter=asdf=asdf

(^ btw there seem to be some redundant parameters above (like redirect_uri vs redirect_url. This is the url generated by Auth0 lock)

It correctly redirects to my specified identity provider page that i’ve setup in my custom connections extension. However, the additional-parameter is no where to be found:

https://my.identityprovider.com/authtest/authorize?response_type=code&redirect_uri=https%3A%2F%2Fskedulo.au.auth0.com%2Flogin%2Fcallback&state=Cb4L1wIX0xqMmfe5oCBkEFcb5kuX0kQ0&client_id=4af4b3b675f63e002031cbbb148f2447

I tried a few variations like url-encoding the value for additional-parameter, but to no avail.
For the record, my client is set to OIDC compliant.

Am I missing something? All I need is to be able to pass some custom information from the frontend to my identity provider, such that it can perform some special actions depending on the values passed.

1 Like

Can you please update your question with the code you are using to set the additional parameters in Lock, as well as the Lock version you are using.

There’s no way to set it in Auth0 Lock (at least according to the documentation) and it’s not really relevant to the problem.

The real problem is the Authorization API (/authorize) which isn’t passing what’s set in additional-parameter over to my custom connection.

To my knowledge although the documentation mentions additional parameters, the parameter in question still needs to be supported like its the case for the two example parameters mentioned in the description. I’ll research what are the options in relation to your scenario and get back to you when I have more information.

Much appreciated. Thanks for looking into this.

As mentioned in the comments, the additional parameters that can be sent need to be recognized by the receiving endpoint which is mostly expecting OpenID Connect/OAuth2 standards parameters or some custom parameters already being used by popular providers. For example, this would be the case for the access_type parameter mentioned in the docs.

Despite this requirement custom OAuth2 connections can be configured to automatically map a known and accepted parameter, like the access_type one, to a custom parameter that is completely specific to the OAuth2 provider being configured. This automatic mapping is achievable by creating the connection with an authParamsMap options, for example:

{
  "name": "custom_oauth2",
  "options": {
    "client_id": "sad",
    "client_secret": "asd",
    // Other configuration parameters
    "authParamsMap": {
      "your_custom_param_here": "access_type"
    }
  },
  "strategy": "oauth2"
}

The above example would mean that when you pass an access_type parameter to /authorize and you requested the use of this custom connection then the value contained within the access_type parameter received in the authorization endpoint would be sent to the custom OAuth2 provide within the your_custom_param_here parameter.

This implies that the custom provider in question does not require the access_type parameter that is being mapped, however, given that’s a parameter that is being recognized due to the use by Google it’s highly unlikely that your custom provider requires it and as such is a good candidate for this mapping approach.

Finally, note that this option is not exposed through the extension you used so you’ll need to either create the connection through the Management API directly or patch an existing one created by the extension.

1 Like

Looks like this will solve my problem quite well. Thank you!

BTW if I want to pass in multiple parameters, how should they be encoded? Just url encoded?

Hi! I was having the same issue, but the problem happened because I misunderstood the docs.

Here’s a fix that I think it makes it more clear :slight_smile: Update aditional-parameter description by mjlescano · Pull Request #5018 · auth0/docs · GitHub

Really late answer… but only noticed this today while moving another answer to a comment. I confess that never used multiple ones, but that would either require finding multiple ones that are supported and unused or using something like access_type (only used by Google) and encoding a complex object within its value. For example using base64url encoding of JSON.

Hi! I was having the same issue, but the problem happened because I misunderstood the docs.

Here’s a fix that I think it makes it more clear :slight_smile: Update aditional-parameter description by mjlescano · Pull Request #5018 · auth0/docs · GitHub