Custom Authorize params (extraParams)

herman · February 25, 2020, 7:57am

Previously it was possible to supply extraParams using the Auth0.js library, see:

It seems this is no longer possible, because only whitelisted params are allowed:

auth0/auth0.js/blob/master/src/helper/parameters-whitelist.js

// For future reference:,
// The only parameters that should be allowed are parameters
// defined by the specification, or existing parameters that we
// need for compatibility

import objectHelper from './object';

var tokenParams = [
  // auth0
  'realm',
  'audience',
  'otp',
  // oauth2
  'client_id',
  'client_secret',
  'redirect_uri',
  'scope',
  'code',
  'grant_type',
  'username',

This file has been truncated. show original

Specifically we want to show the country a user selected at a previous page, and a button to abort the login and change this parameter.

Is it not possible to send extra information to the customized Universal Login Lock pages?

Regards,
Herman

HeberLZGlobant · August 14, 2020, 5:27pm

I’m having the same issue, it is critical for us to be able to receive dynamic extra parameters for customizing the login experience

codenameredpanda · October 15, 2020, 11:02pm

Check this thread out - Passing initialScreen to Lock from auth0-spa-js - #2 by ogazitt
It helped me. Hope it works for you too. Good luck!

konrad.sopala · October 16, 2020, 8:26am

Thanks for sharing it with the rest of community!

herman · October 18, 2020, 3:18pm

I’m not sure if that fixes it @codenameredpanda, because last time I checked those parameters are not allowed and filtered out by the library, in the file I listed in the question. You will see a warning: “Following parameters are not allowed on the /authorize endpoint: [params here]”.

Are you maybe using a older (or newer?!?) version of the library? The method loginWithRedirect is not an option in the library GitHub - auth0/auth0.js: Auth0 headless browser sdk in the WebAuth class. It only has authorize, which, like I said filters out those parameters.

Am I overlooking some functionality?

codenameredpanda · October 20, 2020, 10:17am

@herman , we are not using authO.js anymore. As the link mentions the solution mentioned is for authO-spa-js
Sorry didn’t realize you were looking for authO.js

nicolas_sabena · February 25, 2021, 6:13pm

In Auth0.js you can do this:

var webAuth = new auth0.WebAuth({
  domain: domain,
  clientID: clientId,
  redirectUri: window.location.href
});
webAuth.authorize({
  my_custom_param:"value"
});

The code linked above at auth0.js/parameters-whitelist.js at master · auth0/auth0.js · GitHub will give you a warning if your param it’s not in the allow list, but it will be included in the /authorize request nonetheless.

konrad.sopala · March 2, 2021, 1:37pm

Thanks for sharing that Nico!

anatoliib · January 19, 2022, 10:26am

@herman, @konrad.sopala, do you have a solution for auth0-react.js?

rembrandt.reyes · June 15, 2023, 11:55pm

Do custom params still work for webAuth.authorize? I have added some custom params to auth0.webAuth and when I test this out locally it works, but when I try and do the same test with my changes deployed to my auth0 tenant the custom params get filtered out.

My example is something like this:

socialLogin(cb, connection, someId, someUserSelection) {
    const params = { connection, someUserSelection };

    if (someId) {
      params.someId = someId;
    }

    this.webAuth.authorize(params, cb);
  }
...
socialLogin(()=>{}, 'github', '123', 'pizza');

When checking auth0 rules I would expect there to be values in context.request.query.someId or context.request.query.someUserSelection.

We are using WebAuth version 9.20.2 if that makes any difference.