Avoid leaking enterprise connection domains using lock.js

Hi, we are trying to implement Enterprise SSO login with the classic universal login. While using the Lock default template for the login form, I noticed that it makes a call to the server, which among other things returns a list (domain_aliases) with all the domains associated with enterprise connections.

Is there a way to disable this behavior? We don’t want to leak that information to anyone who accesses the page and knows what to look for.

Please note that we have already confirmed with Auth0 solution engineers that our login requirements cannot be fulfilled with the new universal login. Now, it comes down to whether we can use Lock.js or need to fallback to the Auth0 SDK.

1 Like

Hi @victorbaumann,

Welcome to the Auth0 Community!

As far as I can find, this is how Classic Universal Login handles home realm discovery. Are you still seeing this behavior with HRD disabled?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.