I believe I have read examples in the documentation or other community posts where it’s suggested that we are able to pass custom querystring parameters to the hosted login url. The auth0.js (v9.0.2) warns you if you use a querystring parameter that is outside the list of whitelisted parameter names defined in the .js file. Is this the expected behavior?
The mentions in community posts are not surprising because posts are not updated retroactively most of the times so a specific change may not get reflected in some existing posts. In this particular case the situation is a bit different; it’s technically possible and even Auth0.js still allows it in version 9 (although with a warning) so it’s not unexpected to see those mentions in the forum or even in some reference documentation. However, the reality is that using such parameters does have certain implications that as a personal opinion make the warning useful. For example, those parameters won’t get any sort of validation and are also under the control of the end-user so most of the times they can do more harm than good. At this time I don’t have any definitive information about what will happen with regards to custom parameters, but flagging their usage with a warning seems applicable and should trigger your review of the implementation to consider if they are strictly needed.