We’re using Auth0-JS in a react app (with TypeScript) and looking at how we can implement impersonation securely. We’re toying with the idea of using an additional property when calling webAuth.authorize()
or webAuth.checkSession()
. We will use this extra property in conjunction with a rule to add claims to the tokens.
I have a proof of concept app that is adding a custom property & value to the options object. A test rule that is catching when that extra value is on the context, and adding test claims to the access & id tokens. This returns to the React app as I would expect with the additional data in the idTokenPayload & access token.
I’m noticing when the authorize()
call is made, I get a console warn: Following parameters are not allowed on the
/authorize endpoint: [customProp]
. Everything seems to be working despite that, however I’m concerned that might mean what we’re doing may break with future updates. Is what we’re doing expected use of the options, or is it a bad practice?