`auth0Client` parameter in the /authorize request

lihua.zhang · August 24, 2023, 9:36pm

Problem statement

We notice the auth0Client in the query string, the Auth0-Client header in the request to authentication API endpoints, and in the tenant logs, e.g. /authorize, or /login, or /oauth/token. What is it?

Solution

The auth0client parameter contains the telemetry information sent by the Auth0 SDK. It can be decoded with base64 to reveal the information it carries.

For example, here is the source code related to the telemetry data in the auth0.js SDK:

github.com

auth0/auth0.js/blob/6cae87284fe283078729af62a236aad7d606d793/src/helper/request-builder.js#L107-L117


      
          RequestBuilder.prototype.getTelemetryData = function() {
            var telemetryName = this._universalLoginPage ? 'auth0.js-ulp' : 'auth0.js';
            var clientInfo = { name: telemetryName, version: version.raw };
            if (this._telemetryInfo) {
              clientInfo = objectHelper.extend({}, this._telemetryInfo);
              clientInfo.env = objectHelper.extend({}, this._telemetryInfo.env);
              clientInfo.env[telemetryName] = version.raw;
            }
            var jsonClientInfo = JSON.stringify(clientInfo);
            return base64Url.encode(jsonClientInfo);
          };

github.com

auth0/auth0.js/blob/621dd290bf4cbcbffb4bd760756b2f94849093e3/src/authentication/index.js#L190-L192


      
          if (this.baseOptions._sendTelemetry) {
            params.auth0Client = this.request.getTelemetryData();
          }

As shown in the above code, you can disable sending the telemetry data by setting _sendTelemetry to false when initializing the SDK, e.g.:

var webAuth = new auth0.WebAuth({
domain: AUTH0_DOMAIN,
clientID: AUTH0_CLIENT_ID,
_sendTelemetry:false,
// other parameters
});