GetJobber · jeffreyolio · Jul 14, 2025 · May 27, 2024
diff --git a/lib/omniauth/strategies/auth0.rb b/lib/omniauth/strategies/auth0.rb
@@ -84,9 +84,8 @@ def client
       # Define the parameters used for the /authorize endpoint
       def authorize_params
         params = super
-        %w[connection connection_scope prompt screen_hint login_hint organization invitation ui_locales].each do |key|
-          params[key] = request.params[key] if request.params.key?(key)
-        end
+
+        params.merge! request.params.select{|k,b| is_authorized_param?(k)}
 
         # Generate nonce
         params[:nonce] = SecureRandom.hex
@@ -128,6 +127,12 @@ def callback_phase
       end
 
       private
+      def is_authorized_param?(param_key)
+        authorized_keys = %w[connection connection_scope prompt screen_hint login_hint organization invitation ui_locales]
+
+        param_key.start_with?("ext-") || authorized_keys.include?(param_key)
+      end
+
       def jwt_validator
         @jwt_validator ||= OmniAuth::Auth0::JWTValidator.new(options)
       end

diff --git a/spec/omniauth/strategies/auth0_spec.rb b/spec/omniauth/strategies/auth0_spec.rb
@@ -92,6 +92,7 @@
       expect(redirect_url).not_to have_query('auth0Client')
       expect(redirect_url).not_to have_query('connection')
       expect(redirect_url).not_to have_query('connection_scope')
+      expect(redirect_url).not_to have_query('ext-test')
       expect(redirect_url).not_to have_query('prompt')
       expect(redirect_url).not_to have_query('screen_hint')
       expect(redirect_url).not_to have_query('login_hint')
@@ -111,6 +112,7 @@
       expect(redirect_url).to have_query('connection', 'abcd')
       expect(redirect_url).not_to have_query('auth0Client')
       expect(redirect_url).not_to have_query('connection_scope')
+      expect(redirect_url).not_to have_query('ext-test')
       expect(redirect_url).not_to have_query('prompt')
       expect(redirect_url).not_to have_query('screen_hint')
       expect(redirect_url).not_to have_query('login_hint')
@@ -139,6 +141,7 @@
       expect(redirect_url).to have_query('prompt', 'login')
       expect(redirect_url).not_to have_query('auth0Client')
       expect(redirect_url).not_to have_query('connection')
+      expect(redirect_url).not_to have_query('ext-test')
       expect(redirect_url).not_to have_query('login_hint')
       expect(redirect_url).not_to have_query('organization')
       expect(redirect_url).not_to have_query('invitation')
@@ -156,6 +159,7 @@
       expect(redirect_url).to have_query('screen_hint', 'signup')
       expect(redirect_url).not_to have_query('auth0Client')
       expect(redirect_url).not_to have_query('connection')
+      expect(redirect_url).not_to have_query('ext-test')
       expect(redirect_url).not_to have_query('login_hint')
       expect(redirect_url).not_to have_query('organization')
       expect(redirect_url).not_to have_query('invitation')
@@ -175,6 +179,7 @@
       expect(redirect_url).not_to have_query('auth0Client')
       expect(redirect_url).not_to have_query('connection')
       expect(redirect_url).not_to have_query('connection_scope')
+      expect(redirect_url).not_to have_query('ext-test')
       expect(redirect_url).not_to have_query('prompt')
       expect(redirect_url).not_to have_query('screen_hint')
       expect(redirect_url).not_to have_query('login_hint')
@@ -193,6 +198,27 @@
       expect(redirect_url).not_to have_query('auth0Client')
       expect(redirect_url).not_to have_query('connection')
       expect(redirect_url).not_to have_query('connection_scope')
+      expect(redirect_url).not_to have_query('ext-test')
+      expect(redirect_url).not_to have_query('prompt')
+      expect(redirect_url).not_to have_query('screen_hint')
+      expect(redirect_url).not_to have_query('organization')
+      expect(redirect_url).not_to have_query('invitation')
+    end
+
+    it 'redirects to hosted login page with ext-test=testval' do
+      get 'auth/auth0?ext-test=testval'
+      expect(last_response.status).to eq(302)
+      redirect_url = last_response.headers['Location']
+      expect(redirect_url).to start_with('https://samples.auth0.com/authorize')
+      expect(redirect_url).to have_query('response_type', 'code')
+      expect(redirect_url).to have_query('state')
+      expect(redirect_url).to have_query('client_id')
+      expect(redirect_url).to have_query('redirect_uri')
+      expect(redirect_url).to have_query('ext-test', 'testval')
+      expect(redirect_url).not_to have_query('auth0Client')
+      expect(redirect_url).not_to have_query('connection')
+      expect(redirect_url).not_to have_query('connection_scope')
+      expect(redirect_url).not_to have_query('login_hint')
       expect(redirect_url).not_to have_query('prompt')
       expect(redirect_url).not_to have_query('screen_hint')
       expect(redirect_url).not_to have_query('organization')