Description
Currently, the login_link method in the Auth0AppClient (and possibly other OAuth clients) does not support passing a custom state parameter. The state parameter is important for maintaining state between the authentication request and callback, and is a recommended security best practice to prevent CSRF attacks.
Expected Behavior
- The
login_link method should accept an optional state argument.
- If provided, the
state value should be included in the generated Auth0 authorization URL as a query parameter.
Current Behavior
- The
state parameter is not supported or ignored in the current implementation of login_link for Auth0AppClient.
Example
client = Auth0AppClient(...)
auth_url = client.login_link(req, state='my-custom-state')
# The generated URL should include: ...&state=my-custom-state
Motivation
Supporting the state parameter is important for:
- Security (CSRF protection)
- Passing application-specific context through the OAuth flow
Additional Context
- Auth0 Docs: State Parameter
- This feature would bring the Auth0 client in line with OAuth2 best practices and other client implementations.
Description
Currently, the
login_linkmethod in theAuth0AppClient(and possibly other OAuth clients) does not support passing a customstateparameter. Thestateparameter is important for maintaining state between the authentication request and callback, and is a recommended security best practice to prevent CSRF attacks.Expected Behavior
login_linkmethod should accept an optionalstateargument.statevalue should be included in the generated Auth0 authorization URL as a query parameter.Current Behavior
stateparameter is not supported or ignored in the current implementation oflogin_linkforAuth0AppClient.Example
Motivation
Supporting the
stateparameter is important for:Additional Context