Limit of `ext-` parameters on universal login page

konrad.sopala · July 21, 2023, 11:10am

Problem statement

According to the following document, customers could pass parameters with ext- prefix to the /authorize endpoint and then use them in the universal login page templates:

https://auth0.com/docs/customize/universal-login-pages/universal-login-page-templates#custom-query-parameters

The usage of ext- parameters comes with a few limits, though.

Solution

The usage of ext- parameters has the following limits:

The ext- parameter names must be unique
There could be max 10 ext- parameters in one /authorize request
The ext- parameter name must match this regex /^ext-[\w-]{1,28}$/ (start with ext-, contains [a-zA-z0-9_-] only, and max 28 characters)
The ext- parameter value must match this regex /^[-\w.*~@+ /:]{1,255}$/ (contains [a-zA-Z0-9-.*~@+ /:] only, and max 255 characters)

If the limits are exceeded, the following errors could be returned:

// limit #1 exceeded
error parsing ext params: must have less than or equal to 10 keys with "ext-" prefix
// limit #4 exceeded
error parsing ext params: "ext-xxxxx" with value XXXXX fails to match the required pattern: /^[-\\w.*~@+ /:]{1,255}$/'`