No, I don’t, because anyone could download and install the plugin on its own WordPress instance.
I was thinking to put the desired WordPress callback URL in the “state” query param of the login call in order to allow an additional service to bridge redirection from the callback configured in the Auth0 application to the actual WordPress URL.
I was wondering if there could be a security implication, tough.