Login_hint for SSO connection is assumed to be the same as user email

I’m currently using Universal Login Experience for my single page application. The login page works well until I our customer request for SSO support with OIDC. For the most part, the SSO experience works. However, this one customer has their SSO login username is not the same as their email address, eg. jim@acme.com is their email address, “jim” is the username for SSO login with their IdP.

Repro steps:

  1. Jim visits my.coolapp.com application → redirected to auth.coolapp.com with auth0 Universal Login UI
  2. Jim types in jim@acme.com → redirected to sso.acme.com (customer IdP). This was redirected automatically because acme.com is configured in IdP domains for Home Realm Discovery login experience.
  3. ISSUE: since Jim typed in jim@acme.com in Universal Login UI, jim@acme.com is automatically used as login_hint query parameter in the redirect to sso.acme.com. This caused the customer login UI to auto fill username: jim@acme.com. It is a problem because the username here is actually “jim”, not jim@acme.com.

I found out the code in Lock.js which had this assumption:
https://github.com/auth0/lock/blob/067fa607df3b8bea64a275078d878e802f0340f9/src/connection/enterprise/actions.js#L98

Ideally, we should be able to tell Lock.js to include a provided login_hint param if there is one, even if it’s empty to clear out the login hint.

The workaround I have now is to 1. Use custom Classic Login Experience, 2. Manually edit Lock.js (and host it on our CDN) to remove login_hint from SSO login.

Does anyone has the same issue, and how do you workaround it?

What do you think about proposing Auth0 to support custom login_hint for SSO support?