Auth0 Home Blog Docs

Auth0 parameters whitelist: claims

auth0js
whitelist
querystring

#1

Currently, I pass some additional querystring parameters to the hosted login url by using my own properties on the options object passed to the authorize method and just live with the console warnings that they generate.
However, in looking through the whitelisted parameters:


I see “claims” as being whitelisted which appears to allow me to pass an object (list of name-value pairs, in my case) that has been serialized to JSON and I am able to then access them in the auth0 rules. This also eliminates the warnings I’m getting.
I am not finding any information anywhere to indicate if I’m doing something disastrous here, or not. Am I?


#2

The claims parameter is defined by the OIDC spec as a way for clients to specify individual claims needed (see https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter). However, it’s not currently supported by the Auth0 server (it will be ignored) so, at least for now, you should be OK.

Not sure about your use case but passing parameters to rules through the authorization request should at least raise a warning flag (usually you wouldn’t use any parameter other than those defined in the spec, and for the purpose defined in the spec). Definitely, don’t use this for security decisions, as the parameters could be intercepted and changed.