Auth0 Home Blog Docs

Adding custom properties to auth options sent with authorize() & checkSession()

webauth

#1

We’re using Auth0-JS in a react app (with TypeScript) and looking at how we can implement impersonation securely. We’re toying with the idea of using an additional property when calling webAuth.authorize() or webAuth.checkSession(). We will use this extra property in conjunction with a rule to add claims to the tokens.

I have a proof of concept app that is adding a custom property & value to the options object. A test rule that is catching when that extra value is on the context, and adding test claims to the access & id tokens. This returns to the React app as I would expect with the additional data in the idTokenPayload & access token.

I’m noticing when the authorize() call is made, I get a console warn: Following parameters are not allowed on the/authorizeendpoint: [customProp]. Everything seems to be working despite that, however I’m concerned that might mean what we’re doing may break with future updates. Is what we’re doing expected use of the options, or is it a bad practice?


#2

Hi @kizmar

According to these docs, additional parameters are supported but only for the ones whitelisted by the endpoint (which I don’t think is configurable).

This is mainly for supporting additional / custom parameters for upstream identity providers (docs).

My take is that your method is unsupported and you shouldn’t rely on the functionality as it my break in the future.

I do think that custom / extra parameters for use by rules would be a useful feature.

Hope this helps!