Auth0 parameters whitelist: claims

brian.hulick · 2018-12-13 14:33:58 UTC

Currently, I pass some additional querystring parameters to the hosted login url by using my own properties on the options object passed to the authorize method and just live with the console warnings that they generate.
However, in looking through the whitelisted parameters:

github.com

auth0/auth0.js/blob/master/src/helper/parameters-whitelist.js

// For future reference:,
// The only parameters that should be whitelisted are parameters
// defined by the specification, or existing parameters that we
// need for compatibility

import objectHelper from './object';

var tokenParams = [
  // auth0
  'realm',
  'audience',
  // oauth2
  'client_id',
  'client_secret',
  'redirect_uri',
  'scope',
  'code',
  'grant_type',
  'username',
  'password',

This file has been truncated. show original

I see “claims” as being whitelisted which appears to allow me to pass an object (list of name-value pairs, in my case) that has been serialized to JSON and I am able to then access them in the auth0 rules. This also eliminates the warnings I’m getting.
I am not finding any information anywhere to indicate if I’m doing something disastrous here, or not. Am I?

nicolas_sabena · 2018-12-15 21:05:07 UTC

The claims parameter is defined by the OIDC spec as a way for clients to specify individual claims needed (see https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter). However, it’s not currently supported by the Auth0 server (it will be ignored) so, at least for now, you should be OK.

Not sure about your use case but passing parameters to rules through the authorization request should at least raise a warning flag (usually you wouldn’t use any parameter other than those defined in the spec, and for the purpose defined in the spec). Definitely, don’t use this for security decisions, as the parameters could be intercepted and changed.