With Auth0, is it possible / how would I go about passing a custom querystring back to the service provider in the authorization code response?
In other words – the SP redirects / makes the auth code request to Auth0 (user is prompted to sign in) and I’d like Auth0 to include a custom querystring in the redirect back to the SP’s callback URL. This is in addition to the standard OAuth2 params state and code.
First thought that came to mind was using a custom Auth0 rule, wondering if anyone can provide guidance on this. Thank you!
A rule will be able to influence the authorization response, but it will not be able to add custom query string parameters into the response.
What’s the use case you have that requires this? It is completely impossible for you to leverage custom claim added to the tokens that will be obtained after the code exchange?
Hi @jmangelo! Thank you for the response here. Here is my use case:
We have a client that has a couple different set of OAuth2 endpoints within their IdP. But essentially, after a user “signs in”, we want to be able to test a custom query string that is returned back to the SP in the authorization code redirect response, that tells the SP to continue with a different set of OAuth2 endpoints.
The flow would look like:
1.) User is redirected to authz URL A, signs in with their username/password, IdP determines that user needs to authn with a different set of endpoints/configuration and sends back a querystring in the redirect back to the SP (instead of erroring out, before any token requests)
2.) SP catches querystring, then redirects to another authz URL B. Because the user already authn and has a valid session within the IdP, we just continue on with the OAuth2 flow behind the scenes and the user is then authn into the SP
It’s sort of a “fail over” approach under the hood, with the main goal here is to prevent the user from having to type in their username/password twice.
@jmangelo – Just had this thought, instead of a custom querystring, would it be possible to set up a rule that returns a custom error code in the authz response? Something like: ?error=some_custom_error.
Off the top of my head your rule should be able to provide a fully custom error_description, but not a fully custom error. In relation to the use case itself, I confess I’m not immediately seeing a good way out for this as I don’t think that flow commonly seen.
@jmangelo – Gotcha. I appreciate you taking the time to help me through this. I’ll do a little experimenting on my side and drop a comment back in this thread with my findings, in case there are others in similar situations.