auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

Support custom OAuth parameters or configurable auth URL from frontend

Open IdrisCelik opened this issue 2 months ago • 0 comments

Supabase Auth should support passing custom parameters (such as tenant, login_hint, or other provider-specific params) to the OAuth authorization URL directly from the frontend. Alternatively, there should be a way to override or extend the generated auth URL at runtime on a per-login basis.

Problem

Currently, when using Supabase Auth’s OAuth providers (like Microsoft, Google, etc.), the redirect URL is fully managed by Supabase. While this works for most single-tenant cases, it limits flexibility for multi-tenant or dynamic login experiences.

For example, with Azure AD, Supabase always sends users to: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

But for multi-tenant apps, users often belong to different Azure AD tenants, and should be redirected to: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize

This tenant ID cannot currently be set from the frontend. Similarly, there’s no way to add parameters like login_hint (which improves user experience by pre-filling the email address). It can be set from the backend but this wont work for multi tenant apps that are on one project.

What’s missing

A way to use customParameters for each oauth provider or to modify the provider authorization URL

For example, something like this would solve the problem:

await supabase.auth.signInWithOAuth({ provider: 'azure', options: { tenantId: 'hello.onmicrosoft.com' } });

Or, alternatively, an API to override the base authorization URL: await supabase.auth.signInWithOAuth({ provider: 'azure', options: { authUrl: https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize } });

Why this is needed

Multi-tenant apps often require per-organization authentication flows (different Azure AD tenant IDs). Improved UX: Adding login_hint helps prefill or restrict users’ login context. Parity with other SDKs: For instance, Firebase allows this with https://firebase.google.com/docs/auth/web/microsoft-oauth#handle_the_sign-in_flow_with_the_firebase_sdk

provider.setCustomParameters({ tenant: 'TENANT_ID', login_hint: '[email protected]' });

Flexibility for future providers: This feature would generalize well to other OAuth providers that use custom parameters.

Possible approaches

I think Supabase should really step up here and look at how Firebase did this, their solution is quite robust. Or at least expose a hook/callback that lets the developer modify the auth URL before redirect.

Example use case

A multi-tenant SaaS app where each tenant (organization) has its own Azure AD tenant ID configured in the app. When their users click “Login with Microsoft,” they should be redirected to their correct tenant login page — not the generic Microsoft /common login.

IdrisCelik avatar Oct 28 '25 18:10 IdrisCelik