Disable the login_hint Parameter that is Passed by Default to the IdP

Overview

Some identity providers do not use email for login. Instead, they use some other username. With the current out-of-the-box behavior, the email address entered by the user into the Auth0 login page (with HRD) is automatically set as the identifier in the identity provider’s login form. This results in the user having to take extra steps to change the identifier or getting an error when attempting to log in.

Solution

  1. Identify the connection for which login_hint should not be passed as per the business use case.
  2. Make a call to the Auth0 Management API to get the connection options.
curl --request GET \
--url '[https://YOUR_DOMAIN/api/v2/connections/CONNECTION-ID?fields=options&include_fields=true'](https://your_domain/api/v2/connections/CONNECTION-ID?fields=options&include_fields=true%27); \
--header 'authorization: Bearer YOUR_ACCESS_TOKEN' \
--header 'content-type: application/json'
  1. Update the connection options object to include an upstream_params object that sets an alias for login_hint.

NOTE: the full options object must be passed, as the PATCH will replace the existing options object with what is sent

{
  "options": {
    ...all the other options from step 2...
    "upstream_params": {
      "login_email": {
        "alias: "login_hint"
      }
    }
  }
}
  1. Make a call to the Auth0 Management API to patch the connection options.
curl --request PATCH \
--url 'https://YOUR_DOMAIN/api/v2/connections/CONNECTION-ID'; \
--header 'authorization: Bearer YOUR_ACCESS_TOKEN' \
--header 'content-type: application/json' \
--data '{"options": { ...all options from step 3... }}'

This will result in the login_hint value being passed in the login_email parameter instead, and therefore, the login_hint parameter will not be sent to the IdP.

The caveat with this approach is that it still sends a parameter. It should be set to something the IdP will ignore.