Problem
LoginId.login() only processes username and captcha server-side. The method signature accepts additional fields via [key: string]: string | number | boolean | undefined, but the server silently ignores anything beyond those two params. This makes it impossible to influence connection routing from within the ACUL screen after the identifier is collected.
This is already supported at the React SDK level via loginWithRedirect():
await loginWithRedirect({
authorizationParams: {
organization: 'org_xxxx',
login_hint: email,
},
});When organization is passed there, Auth0 correctly scopes the transaction to that org's connection from the start. The gap is that there is no equivalent on the ACUL side. Once the user is on the login-id screen and we know their identifier, there is no supported way to achieve the same result.
Proposed Feature
Extend LoginId.login() to support additional first-class params - such as organization - that the server actually honours to re-scope the current transaction before proceeding, without breaking the existing PKCE chain.
await loginIdManager.login({
username: email,
organization: 'org_xxxx',
// or: organization: { id: 'org_xxxx', connection: 'db-connection-name' }
});Example Use Case
We use Identifier First with ACUL and have two connections - passwordless OTP (default) and password-based - for users who share the same email domain. We have a backend endpoint that returns the correct org/connection given an email. We want to call it from the login-id screen after the user types their identifier and route them to the correct connection accordingly. There is currently no supported way to do this from within ACUL.
The only viable workaround is moving the org lookup to before loginWithRedirect() in each application, which is the opposite of centralised and requires changes across every app consuming our auth library.
References:
Environment:
@auth0/auth0-acul-js: 1.0.0@auth0/auth0-react: latest- Auth flow: Identifier First + ACUL
Problem
LoginId.login()only processesusernameandcaptchaserver-side. The method signature accepts additional fields via[key: string]: string | number | boolean | undefined, but the server silently ignores anything beyond those two params. This makes it impossible to influence connection routing from within the ACUL screen after the identifier is collected.This is already supported at the React SDK level via
loginWithRedirect():When
organizationis passed there, Auth0 correctly scopes the transaction to that org's connection from the start. The gap is that there is no equivalent on the ACUL side. Once the user is on thelogin-idscreen and we know their identifier, there is no supported way to achieve the same result.Proposed Feature
Extend
LoginId.login()to support additional first-class params - such asorganization- that the server actually honours to re-scope the current transaction before proceeding, without breaking the existing PKCE chain.Example Use Case
We use Identifier First with ACUL and have two connections - passwordless OTP (default) and password-based - for users who share the same email domain. We have a backend endpoint that returns the correct org/connection given an email. We want to call it from the
login-idscreen after the user types their identifier and route them to the correct connection accordingly. There is currently no supported way to do this from within ACUL.The only viable workaround is moving the org lookup to before
loginWithRedirect()in each application, which is the opposite of centralised and requires changes across every app consuming our auth library.References:
Environment:
@auth0/auth0-acul-js:1.0.0@auth0/auth0-react: latest