diff --git a/cmd/cmd_perform_authorization_code.go b/cmd/cmd_perform_authorization_code.go
index 78bc2dbc120..60c0ae57425 100644
--- a/cmd/cmd_perform_authorization_code.go
+++ b/cmd/cmd_perform_authorization_code.go
@@ -132,15 +132,19 @@ and success, unless if the --no-shutdown flag is provided.`,
 				Scopes:      scopes,
 			}
 
-			var generateAuthCodeURL = func() (string, []rune) {
-				state, err := randx.RuneSequence(24, randx.AlphaLower)
-				cmdx.Must(err, "Could not generate random state: %s", err)
+			var generateAuthCodeURL = func() (string, string) {
+				state := flagx.MustGetString(cmd, "state")
+				if len(state) == 0 {
+					generatedState, err := randx.RuneSequence(24, randx.AlphaLower)
+					cmdx.Must(err, "Could not generate random state: %s", err)
+					state = string(generatedState)
+				}
 
 				nonce, err := randx.RuneSequence(24, randx.AlphaLower)
 				cmdx.Must(err, "Could not generate random state: %s", err)
 
 				authCodeURL := conf.AuthCodeURL(
-					string(state),
+					state,
 					oauth2.SetAuthURLParam("audience", strings.Join(audience, "+")),
 					oauth2.SetAuthURLParam("nonce", string(nonce)),
 					oauth2.SetAuthURLParam("prompt", strings.Join(prompt, "+")),
@@ -295,6 +299,7 @@ and success, unless if the --no-shutdown flag is provided.`,
 	cmd.Flags().String("client-id", os.Getenv("OAUTH2_CLIENT_ID"), "Use the provided OAuth 2.0 Client ID, defaults to environment variable OAUTH2_CLIENT_ID")
 	cmd.Flags().String("client-secret", os.Getenv("OAUTH2_CLIENT_SECRET"), "Use the provided OAuth 2.0 Client Secret, defaults to environment variable OAUTH2_CLIENT_SECRET")
 
+	cmd.Flags().String("state", "", "Force a state value (insecure)")
 	cmd.Flags().String("redirect", "", "Force a redirect url")
 	cmd.Flags().StringSlice("audience", []string{}, "Request a specific OAuth 2.0 Access Token Audience")
 	cmd.Flags().String("auth-url", "", "Usually it is enough to specify the `endpoint` flag, but if you want to force the authorization url, use this flag")