I’m currently using Universal Login Experience for my single page application. The login page works well until I our customer request for SSO support with OIDC. For the most part, the SSO experience works. However, this one customer has their SSO login username is not the same as their email address, eg. jim@acme.com
is their email address, “jim” is the username for SSO login with their IdP.
Repro steps:
- Jim visits
my.coolapp.com
application → redirected toauth.coolapp.com
with auth0 Universal Login UI - Jim types in
jim@acme.com
→ redirected tosso.acme.
com (customer IdP). This was redirected automatically becauseacme.com
is configured in IdP domains for Home Realm Discovery login experience. - ISSUE: since Jim typed in
jim@acme.com
in Universal Login UI,jim@acme.com
is automatically used aslogin_hint
query parameter in the redirect tosso.acme.com
. This caused the customer login UI to auto fill username:jim@acme.com
. It is a problem because the username here is actually “jim”, notjim@acme.com
.
I found out the code in Lock.js which had this assumption:
https://github.com/auth0/lock/blob/067fa607df3b8bea64a275078d878e802f0340f9/src/connection/enterprise/actions.js#L98
Ideally, we should be able to tell Lock.js to include a provided login_hint
param if there is one, even if it’s empty to clear out the login hint.
The workaround I have now is to 1. Use custom Classic Login Experience, 2. Manually edit Lock.js (and host it on our CDN) to remove login_hint
from SSO login.
Does anyone has the same issue, and how do you workaround it?
What do you think about proposing Auth0 to support custom login_hint
for SSO support?