You can pass provider-specific parameters to an (IdP) during authentication. The values can either be static per connection or dynamic per user.

Limitations

For this configuration, be aware of the following restrictions:
  • Only valid OAuth 2.0/OIDC parameters are accepted.
  • Not all IdPs support upstream parameters. Check with the specific IdP before you proceed with your implementation.
  • IdPs do not support upstream parameters.

Static parameters

Use static parameters to configure your connection to send a standard set of parameters to the IdP when a user logs in. To configure static parameters, call the Auth0 Create a connection or Update a connection endpoint, and pass the upstream_params object in the options object with the parameters you’d like to send to the IdP.

Example: WordPress

WordPress allows you to pass an optional blog parameter to its authorization endpoint, and automatically request access to a specified blog for users when they log in. To learn more, read WordPress’s OAuth 2.0 documentation. To follow this example, you’ll need a working WordPress Social connection.

Get the connection

Call the Management API Get a connection endpoint to retrieve the existing values of the options object: 
curl --request GET \
  --url 'https://{yourDomain}/api/v2/connections/%7ByourWordpressConnectionId%7D' \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --header 'content-type: application/json'
The options object will look something like this: 
{
  "options": {
    "client_id": "", 
    "profile": true, 
    "scope": ["profile"]
  }
}

Update the connection (static)

Copy the existing options object, and then add the upstream_params object with the blog field as an attribute: 
{
  "options": {
    "client_id": "", 
    "profile": true, 
    "scope": ["profile"],
    "upstream_params": {
      "blog": {"value":"myblog.wordpress.com"}
    }
  }
}
Call the Management API Update a connection endpoint with the options object in the body: 
curl --request PATCH \
  --url 'https://{yourDomain}/api/v2/connections/%7ByourWordpressConnectionId%7D' \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --header 'content-type: application/json' \
  --data '{"options":{"client_id":"","profile":true,"scope":["profile"],"upstream_params":{"blog":{"value":"myblog.wordpress.com"}}}}'
Now every time a user authenticates with this connection, the request to the Wordpress authorization endpoint will include the query parameter blog=myblog.wordpress.com.

Dynamic parameters

Use dynamic parameters to configure your connection to send a set of parameters with values specific to the user to the IdP when they log in. To configure dynamic parameters, call the Auth0 Management API Create a connection or Update a connection endpoint, pass the upstream_params object in the options object with the parameters you’d like to send to the IdP, and specify the field that the parameter maps to with the alias attribute. Here’s a sample options object that we’ll revisit later in the X example: 
{
  "options": {
    "upstream_params": {
      "screen_name": {
        "alias": "login_hint"
      }
    }
  }
}

Available fields

These are the available fields for the alias attribute:
  • acr_values
  • audience
  • client_id
  • display
  • id_token_hint
  • login_hint
  • max_age
  • prompt
  • resource
  • response_mode
  • response_type
  • ui_locales

Example: X

X allows you to pass an optional screen_name parameter to its OAuth authorization endpoint. The screen_name parameter pre-fills the username input box of the login screen with the given value. To learn more, read X’s API reference. To follow this example, you’ll need a working Twitter Social connection.

Get the connection

Call the Management API Get a connection endpoint to retrieve the existing values of the options object: 
curl --request GET \
  --url 'https://{yourDomain}/api/v2/connections/%7ByourXConnectionId%7D' \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --header 'content-type: application/json'
The options object will look something like this: 
"options": {
  "client_id": "thisismyid",
  "client_secret": "thisismysecret",
  "profile": true
}

Update the connection (dynamic)

Copy the existing options object, add the upstream_params object with the screen_name field as an attribute, and then set the alias attribute to login_hint: 
{
  "options": {
    "client_id": "", 
    "profile": true, 
    "scope": ["profile"],
    "upstream_params": {
      "screen_name": {
        "alias": "login_hint"
      }
    }
  }
}
Call the Management API Update a connection endpoint with the options object in the body: 
curl --request PATCH \
  --url 'https://{yourDomain}/api/v2/connections/%7ByourXConnectionId%7D' \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --header 'content-type: application/json' \
  --data '{"options": {"client_id": "{clientId}", "client_secret": "{clientSecret}", "profile": true, "upstream_params": {"screen_name": {"alias": "login_hint"}}}}'

Call the login endpoint

When you call the Authentication API Login endpoint for a user, you can pass their email address to the login_hint parameter: 
https://{yourDomain}/authorize
  ?client_id={yourClientId}
  &response_type=token
  &redirect_uri={https://yourApp/callback}
  &scope=openid%20name%20email
  &login_hint=user@domain.com
This value will then be passed to the X authorization endpoint as the screen_name parameter: 
https://api.twitter.com/oauth/authorize
  ?oauth_token={yourXAuthToken}
  &screen_name=user@domain.com