Skip to content

[FEATURE] Support for state in login_link in Auth0 OAuth client #736

New issue
New issue
Open
Open
[FEATURE] Support for state in login_link in Auth0 OAuth client#736
Labels
enhancementNew feature or request
@akashkroy

Description

@akashkroy
akashkroy
opened on May 20, 2025

Description

Currently, the login_link method in the Auth0AppClient (and possibly other OAuth clients) does not support passing a custom state parameter. The state parameter is important for maintaining state between the authentication request and callback, and is a recommended security best practice to prevent CSRF attacks.

Expected Behavior

  • The login_link method should accept an optional state argument.
  • If provided, the state value should be included in the generated Auth0 authorization URL as a query parameter.

Current Behavior

  • The state parameter is not supported or ignored in the current implementation of login_link for Auth0AppClient.

Example

client = Auth0AppClient(...)
auth_url = client.login_link(req, state='my-custom-state')
# The generated URL should include: ...&state=my-custom-state

Motivation

Supporting the state parameter is important for:

  • Security (CSRF protection)
  • Passing application-specific context through the OAuth flow

Additional Context

  • Auth0 Docs: State Parameter
  • This feature would bring the Auth0 client in line with OAuth2 best practices and other client implementations.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions