st.login() when using Google - state parsing appears to be incorrect

[daileykluck]

Checklist

• I have searched the existing issues for similar issues.
• I added a very descriptive title to this issue.
• I have provided sufficient information below to help reproduce this issue.

Summary

When attempting to configure st.login() with our application, we are getting an error that indicates that the state might not be properly set according to the code that attempts to parse it.

We have confirmed that the received state is the same as the outgoing state, but upon redirect it looks like it doesn't parse as expected.

Reproducible Code Example

# streamlit.py

import streamlit as st

if st.button("Log in with Google"):
            st.login(provider='google_dev')


# secrets.toml
[auth]
redirect_uri = "http://localhost:8501/oauth2callback"
cookie_secret = "somesecret"

[auth.google_dev]
client_id = "something-something.apps.googleusercontent.com"
client_secret = "some-secret"
server_metadata_url = "https://accounts.google.com/.well-known/openid-configuration"

Steps To Reproduce

1. Click on the button
2. Select your profile
3. Check server logs

Expected Behavior

I would have expected what looked to be an incredibly easy way to replace our current homegrown implementation of OAuth in Streamlit! Really pumped for this, just hitting a minor snag that I think looks like a bug.

Current Behavior

Traceback (most recent call last):
...
venv/lib/python3.11/site-packages/streamlit/web/server/oauth_authlib_routes.py", line 128, in get
    provider = self._get_provider_by_state()
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File ".../.venv/lib/python3.11/site-packages/streamlit/web/server/oauth_authlib_routes.py", line 157, in _get_provider_by_state
    _, _, recorded_provider, code = key.split("_")
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: too many values to unpack (expected 4)

Is this a regression?

• Yes, this used to work in a previous version.

Debug info

• Streamlit version: 1.42.0
• Authlib version: 1.4.1
• Python version: 3.11
• Operating System: MacOS 15.2 (24C101)
• Browser: Version 132.0.6834.160 (Official Build) (arm64)

Additional Information

No response

[github-actions]

If this issue affects you, please react with a 👍 (thumbs up emoji) to the initial post.

Your feedback helps us prioritize which bugs to investigate and address first.

[kajarenc]

Hello @daileykluck!
Thank you very much for opening this issue! ❤

I was able to reproduce the behavior and could confirm that it looks like a bug!

The root cause of it in our implementation details is that when Authlib sets the state, it prefixes the token with the provider name and uses _ as a delimiter.

We will work to fix that, but for now, as a workaround, please use a provider name that doesn't contain _; this should fix the issue!

E.g. you name your provider googledev instead of google_dev in secrets.toml and in st.login call, everything should work as expected!

I hope this is helpful; please let us know if you will have other issues with reusing Auth functionality in Streamlit.

[daileykluck]

This is awesome, I can confirm that the workaround provided did indeed do the trick! Thank you for the detailed explanation, sometimes feels like something I should have guessed 😆 !