Problem statement
When the “device” parameter is set in the authorization parameters, the resulting name in Auth0 is not returned as expected. For example, setting it to “iPhone” will result in some variation of the browser string getting persisted:
For example, using the ‘auth0-spa-js’ SDK:
const auth0 = new Auth0Client({
access_type: "offline",
domain: '...',
client_id: '...',
redirect_uri: window.location.href,
device: "iPhone"
});
This will result in the following device name:
Phone Mobile Safari UI/WKWebView
Solution
What happens behind the scenes, during the flow with the “device” parameter:
- If the “device” parameter is not passed:
- The user agent of the device is used
- If the “device” parameter is passed:
- Attempt to parse the value as a user agent. If so, generate a name based on the information for the user agent
- If not parsable as a user agent, store the string as-is
The parsing action is via a 3rd party library, and whether or not it thinks something contains all or part of a user agent is up to that library. Based on this, depending on the choice of string, it may appear that the device is freeform, but this is only because it couldn’t be parsed as a user agent.
Because some of the strings contain things that the user agent parsing believes indicate a user agent, they are parsed and interpreted. Unfortunately, there is no bypass for this.
One possible workaround, for now, would be to use strings that do not match the user agent parser. While “iPhone” and “Android” match, “iphone” and “android” currently do not. Since this behavior is, however, subject to change, there is no guarantee that this is a behavior that will continue to work. For instance, if the library is updated in the future, the workaround may stop working.
Related References
- There is not much mention of this parameter around, but it is referenced in the Lock Authentication Parameter documentation.