search

achedeuzot / ueberauth_auth0

Auth0 OAuth2 strategy for Überauth.
https://hexdocs.pm/ueberauth_auth0
MIT License
71 stars 46 forks source link

Some query parameters for Auth0 not passing through #239

Open JasonNoonan opened 1 year ago

JasonNoonan commented 1 year ago

When trying to pass some Auth0-supported custom query parameters through Ueberauth to the /authorize endpoint on auth0, it appears that the additional query parameters are not getting through. We have a custom template loaded in our Auth0 Universal Login, which makes use of ext-register-title and ext-register-subtitle params to customize the title and description on our prompt.

For instance, if I call /auth/auth0?ext-register-title=test, I would expect the auth0 prompt that I'm receiving to show the title as "test" instead of welcome due to our Universal Login template, but I can see in the network tab that the query parameter is never getting passed through.

I've made some modifications locally to the allowed params this library uses and confirmed that it can work, but I imagine you all don't want to accept a bunch of random PRs asking for "please approve ext-my-var query params".

Is there a way to accomplish what I'm after without modifying the existing library? something I'm missing with config or setup for the auth0 strategy that would pass this value through?

My colleague proposed an idea of allowing the user to provide a list of ext_params to the strategy's config list providing a map of the params to their default values, which could then be appended to the pass-through params after the allowed params were iterated, but we're unsure if you'd be open to such a PR and wanted to see if there was an alternative way to accomplish this that we're missing.

JasonNoonan commented 1 year ago

Hi, I just wanted to follow up on this. Am I barking up the wrong tree with this request or is there any assistance I can get with resolving the problem?

Thank you for your time!

njausteve commented 1 year ago

@JasonNoonan I've had a similar case where we needed to allow some UTM parameters and this is how we did it. Not sure whether you've already tried that. 

# Ueberauth Auth0 configuration
config :ueberauth, Ueberauth,
  providers: [
    auth0: {
      Ueberauth.Strategy.Auth0,
      [
        default_scope: "openid name email",
        allowed_request_params: [
          :scope,
          :state,
          :audience,
          :connection,
          :prompt,
          :screen_hint,
          :login_hint,
          :utm_source,
          :utm_content,
          :utm_medium,
          :utm_campaign,
          :utm_term
        ]
      ]
    }
  ]

In this case, the :utm_** keys are a list of external parameters allowed through