Support custom OAuth parameters or configurable auth URL from frontend #1859
Description
Description
I want to make clear that this feature is also missing for SAML2 so definitly check supabase/auth#2271 first, I think that should be prioritized since it's more important for enterprise and the SAML solution should be easier since it's one solution for all providers, while my proposed solution here would need you to type for each provider all the options. Still should be a cheap feature to implemen and maintaint. We don't use oauth anymore but wanted to add this for completeness.
Issue:
Supabase Auth should support passing custom parameters (such as tenant, login_hint, or other provider-specific params) to the OAuth authorization URL directly from the frontend.
Alternatively, there should be a way to override or extend the generated auth URL at runtime on a per-login basis.
Problem
Currently, when using Supabase Auth’s OAuth providers (like Microsoft, Google, etc.), the redirect URL is fully managed by Supabase. While this works for most single-tenant cases, it limits flexibility for multi-tenant or dynamic login experiences.
For example, with Azure AD, Supabase always sends users to:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
But for multi-tenant apps, users often belong to different Azure AD tenants, and should be redirected to:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize
This tenant ID cannot currently be set from the frontend. You do have ways to set query params, but this is not enough in this case, domain_hint isn't reliable either as query param. It can be set from the backend but this wont work for multi tenant apps that are on one project.
Why this is needed
Multi-tenant apps often require per-organization authentication flows (different Azure AD tenant IDs).
Improved UX: Adding login_hint helps prefill or restrict users’ login context.
Parity with other SDKs: For instance, Firebase allows this with https://firebase.google.com/docs/auth/web/microsoft-oauth#handle_the_sign-in_flow_with_the_firebase_sdk
provider.setCustomParameters({ tenant: 'TENANT_ID', login_hint: '[email protected]' });Flexibility for future providers: This feature would generalize well to other OAuth providers that use custom parameters.
Example use case
A multi-tenant SaaS app where each tenant (organization) has its own Azure AD tenant ID configured in the app. When their users click “Login with Microsoft,” they should be redirected to their correct tenant login page — not the generic Microsoft /common login.
Suggested solution
What’s missing
A way to use customParameters for each oauth provider or to modify the provider authorization URL
You could follow Firebase in this with: https://firebase.google.com/docs/auth/web/microsoft-oauth#handle_the_sign-in_flow_with_the_firebase_sdk
But something like this would solve the problem just as well:
await supabase.auth.signInWithOAuth({
provider: 'azure',
options: {
tenantId: 'hello.onmicrosoft.com'
}
});
Or, alternatively, an API to override the base authorization URL, if you are okay with devs having this freedom, but this would be the cheapest way:
await supabase.auth.signInWithOAuth({
provider: 'azure',
options: {
authUrl: https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize
}
});
Alternative
There are no work arounds as of right now.
Additional context
I think supabase/auth#2271 should be fixed first, as it impacts enterprises, this is a feature needed by enterprises and it should be way easier to implement.
Validations
- Follow our Code of Conduct
- Read the Contributing Guidelines.
- Read the docs.
- Check that there isn't already an issue that request the same feature to avoid creating a duplicate.