Idea ID: 2879163

More flexibility regarding the optional parameters sent in an authorization request when using the OAuth integration.

Status: New Idea

SSPR has a feature that allows an admin to use the macro syntax and send extra info as part of an auth redirect to a configured OAUTH2/OIDC integration.

This is referred as a login_hint and is an optional part of the OIDC core spec that is intended to give the Authorization Server some sort of starting point (prefill the username field for example). Since the parameter name is hardcoded, the target use case is rather limited.

There are many other use cases that also can necessitate sending an additional parameter as part of the auth redirect.

A scenario might be a partner integrator/service provider that has a single integration with said remote Authorization Server, which actually handles multiple customers within said integration. This type of scenario is not uncommon.

Some OIDC implementations support something other parameters, some of which are marked as optional in the core spec, others are very much implementation specific, the specific parameter I would like to use is referred to as onbehalfof parameter that can for example allow the remote Authorization Server to know which underlying customer on their side this request is for. 

Just to clarify, this is not the same thing as the on-behalf-of flow that is a Microsoft specific extension of the OAuth spec. That is something completely different.

Specifying this value, can facilitate individual billing and statistics per underlying customer. Or individual branding of the remote server's sign-in page depending on the customer.

It is extremely likely that many other scenarios where the ability to specify one or more optional parameters in the auth request could be useful for other customers. This would allow many implementation specific configurations that would be otherwise unable to be configured.

I envision this as being addressed by a more flexible mechanism so that an SSPR admin could define multiple parameters each with a customisable parameter name and a parameter value that support macros. The out of the box configuration could just include login_hint (to match today's functionality), but that should be further customisable by the administrator.