Unwanted parameters in /authorize call

[nicosabena]

Lock v10.10.1 (probably after referencing auth0.js 8.1.2 because of PR #324) adds some additional parameters when doing an authorize call, such as popup and popup_options, that seem out of place.

Lock v10.7.0:

https://nico-sabena.auth0.com/authorize
  ?scope=openid
  &response_type=code
  &connection=[...]
  &connection_scope=
  &sso=true
  &state=
  &client_id=[...]
  &redirect_uri=[...]
  &auth0Client=[...]

Lock v10.10.0:

https://nico-sabena.auth0.com/authorize
  ?connection=[...]
  &auth0Client=[...]
  &client_id=[...]
  &response_type=code
  &redirect_uri=[...]
  &scope=openid

v10.10.1 and after:

https://nico-sabena.auth0.com/authorize
?client_id=[...]
  &response_type=code
  &redirect_uri=[...]
  &connection=[...]
  &connection_scope=
  &popup=false
  &popup_options=%5Bobject%20Object%5D
  &sso=true
  &state=nndfasdfasdf
  &scope=openid
  &auth0Client=[...]

[glena]

can you share the js code? (auth0.js initialization and the method call)

[nicosabena]

You can replicate with:

var lock = new Auth0Lock('BYmE3DvjklkyaOADad2gABf05OplTXFV', 'nico-sabena.auth0.com');
lock.show();

and click on the Google social login.

[glena]

I think that the empty connection_scope comes from here https://github.com/auth0/lock/blob/master/src/quick-auth/actions.js#L16 (check if it is adding it in other flows too)

popup and popup_options comes from here https://github.com/auth0/lock/blob/master/src/core/web_api/legacy_api.js#L39-L40 that is being merged into the auth0.js option like here https://github.com/auth0/lock/blob/master/src/core/web_api/legacy_api.js#L55 (this happens in all the calls). The same happen with the other web api implementation.

We should make sure that lock does not sends those params to auth0.js.