Authenticating users via login page on client side device with very frequent changing callback url

Hello there :wave: ,

I wanted to inquire about the possibility of integrating Auth0 authentication into my Django app, which is installed on clients’ machines. My goal is to enable user authentication via Auth0 login without requiring to set the clients’ local devices IPs in the “Allowed callback URLs” field within the Auth0 dashboard as you know local IPs change and differ from device to another.

I would greatly appreciate it if you could provide some guidance or insights into achieving this objective with Auth0. Thank you for your assistance.

Best regards.

Hi @Dever :wave:

Welcome to the community! :sunglasses:

:thinking: Its an interesting use case. The issue one typically faces is not so much the IP address as it is the port number: is almost universally synonymous with the localhost, whilst it’s the port number that typically gets randomly assigned. Whilst registering a port for your application is one possible approach, there’s a lot of other implications to consider when going down that route - not least the cost of doing so.

Using the preferred flow associated with OIDC/OAuth 2, i.e. Authorization Code Flow, really does require one to setup Allowed callback URLs - it’s an integral part of the security associated with that flow. Auth0 does support Resource Owner Password Flow though, which typically doesn’t utilise any callback URL (though Auth0 will typically require at least one to be defined). However please be aware that you do miss out on a lot of the capability provided by the Auth0 platform out-of-box if you do use the Resource Owner Password Flow. It’s also an inherently less secure flow, not least because the application has to handle user credentials.

Is there some particular reason why the app is installed locally rather than being hosted by some service provider?

1 Like

We basically provide a packaged django app that users can install on their devices and use it locally. You mentioned the use of the IP, it would work but if they accessed the app from another device in the network it wouldnt let them in.

Is there some particular reason why the app is installed locally rather than being hosted by some service provider?

Its for the users that want to host it on their own devices and only use the app locally.

Is there a way to assign an app id or a specific variable we can implement in our app other than a callback url?