exchange_code_for_session() breaks with "unsupported_grant_type" error in 2.11.0

[jackyliang]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Earlier this week, I noticed that my Google login with Supabase was failing. Looking at my logs, the function exchange_code_for_session() was failing.

The exchange_code_for_session() method stops working when upgrading from supabase-py 2.9.0/2.10.0 to 2.11.0 on Render (my hosting service), failing with an "unsupported_grant_type" error. The implementation appears identical between versions, making the cause unclear. Locally, running through uvicorn, it works just fine.

But on Render, it fails.

Code

# Working in 2.9.0 and 2.10.0, breaks in 2.11.0
session_response = supabase.auth.exchange_code_for_session({"auth_code": code})
return supabase.auth.get_user(session_response.session.access_token), session_response.session

Error Details

Full request/response from 2.11.0:

=== REQUEST DETAILS ===
Method: POST
URL: https://[REDACTED].supabase.co/auth/v1/token?grant_type=pkce
Headers:
  Content-Type: application/json;charset=UTF-8
  X-Supabase-Api-Version: 2024-01-01
  Authorization: Bearer [REDACTED]
  X-Client-Info: supabase-py/2.11.0
Query Params:
Body:
  {'auth_code': '[REDACTED]', 'code_verifier': '[REDACTED]'}
=== END REQUEST DETAILS ===

=== RESPONSE DETAILS ===
Status Code: 400
Response Headers:
  date: Fri, 24 Jan 2025 04:25:34 GMT
  content-type: application/json
  content-length: 65
  cf-ray: 906d42a8ee94cf4e-CMH
  cf-cache-status: DYNAMIC
  strict-transport-security: max-age=31536000; includeSubDomains
  vary: Origin, Accept-Encoding
  sb-gateway-version: 1
  sb-project-ref: tmvqjanzajgiycfziqyr
  x-content-type-options: nosniff
  x-envoy-attempt-count: 1
  x-envoy-upstream-service-time: 0
  x-sb-error-code: invalid_credentials
  x-supabase-api-version: 2024-01-01
  server: cloudflare
  alt-svc: h3=":443"; ma=86400
Response Body:
  {"code":"invalid_credentials","message":"unsupported_grant_type"}
=== END RESPONSE DETAILS ===

Environment

• supabase-py version: 2.11.0 (broken) / 2.10.0 and 2.9.0 (working)
• Flow type: PKCE
• Environment: Production deployed to Render

Current Workaround

Pinning the version to supabase-py==2.10.0 in requirements.txt resolves the issue. But this means I cannot upgrade to the latest versions without it breaking.

Questions

1. What changed in 2.11.0 that causes this flow to break?
2. Is there a fix that allows using the latest version?

System information

• OS: mac OS and Render.com
• Version of ssupabase-py: 2.11.0 is the buggy version

[bstadlbauer]

We've also just run into this issue. For us 2.11.1 is broken, 2.11.0 still works

[silentworks]

I'm going to take a look into this. The only think I can think of that would have changed between releases was the httpx dependency. I will run a few tests in my demo app and try to get to the bottom of this.

[silentworks]

I can now confirm the breakage happened in httpx between version 0.27.2 to 0.28. I rolled back the version to 0.27.2 in my project locally and it all worked fine, as soon as I upgraded to 0.28.0 I got the error the OP mentioned above. I'm going to check the httpx codebase to see which change could have caused this.

[silentworks]

Found the exact issue. httpx changed it's behavior on how it handles query params in urls and this has in turn broken our code. httpx is still 0.x release, so they do introduce breaking changes at times, sorry we didn't catch this one before the release was done. I will work on a PR now to try and get a new version out.

If you are interested you can see the httpx PR that made the change here encode/httpx#3364, please don't comment on that PR.

[jackyliang]

WOOT! Thank you, and so happy I could help. Took me 6 hours to figure this out because I couldn't run a debugger on Render. And this is the first time I've had an issue that I didn't have on local, while on production, it was happening

[silentworks]

Thank you for reporting it here and providing enough detail for me to be able to debug it and get it fixed. Just waiting for someone on the Supabase team to review it and then I can get it merged in and create a new release of the library.

[jackyliang]

https://github.com/supabase/auth-py/releases/tag/v2.11.2

I see the new release

In requirements.txt, do I need to specify the exact version like auth-py===2.11.2?

[silentworks]

It would be gotrue==2.11.2. You can test it like that and let me know if its working for you. I'm going to release a new version of supabase python library soon. Just waiting on one PR from another package to come in first.

[silentworks]

Re-opened this as the automation closed it. I will close it once we have a release of the supabase python library released.

[jackyliang]

@silentworks

So once the fix is deployed, will I need to pin the version of gotrue to 2.11.2? Or just use supabase-py===[newest_version] with no gotrue specification?