I’m currently using Universal Login Experience for my single page application. The login page works well until I our customer request for SSO support with OIDC. For the most part, the SSO experience works. However, this one customer has their SSO login username is not the same as their email address, eg. jim@acme.com is their email address, “jim” is the username for SSO login with their IdP.
Repro steps:
- Jim visits
my.coolapp.comapplication → redirected toauth.coolapp.comwith auth0 Universal Login UI - Jim types in
jim@acme.com→ redirected tosso.acme.com (customer IdP). This was redirected automatically becauseacme.comis configured in IdP domains for Home Realm Discovery login experience. - ISSUE: since Jim typed in
jim@acme.comin Universal Login UI,jim@acme.comis automatically used aslogin_hintquery parameter in the redirect tosso.acme.com. This caused the customer login UI to auto fill username:jim@acme.com. It is a problem because the username here is actually “jim”, notjim@acme.com.
I found out the code in Lock.js which had this assumption:
https://github.com/auth0/lock/blob/067fa607df3b8bea64a275078d878e802f0340f9/src/connection/enterprise/actions.js#L98
Ideally, we should be able to tell Lock.js to include a provided login_hint param if there is one, even if it’s empty to clear out the login hint.
The workaround I have now is to 1. Use custom Classic Login Experience, 2. Manually edit Lock.js (and host it on our CDN) to remove login_hint from SSO login.
Does anyone has the same issue, and how do you workaround it?
What do you think about proposing Auth0 to support custom login_hint for SSO support?