feat: add oauth2 client support #2098
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Pull Request Test Coverage Report for Build 16803992205Details
💛 - Coveralls |
hf
reviewed
Aug 4, 2025
hf
pushed a commit
that referenced
this pull request
Aug 28, 2025
🤖 I have created a release *beep* *boop* --- ## [2.179.0](v2.178.0...v2.179.0) (2025-08-28) ### Features * add oauth2 client support ([#2098](#2098)) ([8fae015](8fae015)) * experimental own linking domains per provider ([#2119](#2119)) ([747bf3b](747bf3b)) * fetch email from snapchat oauth provider if available for consistency ([#2110](#2110)) ([7507822](7507822)) * implement link identity with oidc / native sign in ([#2108](#2108)) ([5f0ec87](5f0ec87)) * implements email-less accounts with oauth ([#2105](#2105)) ([9a61dae](9a61dae)) * introduce request-scoped background tasks & async mail sending ([#2126](#2126)) ([2c8ea61](2c8ea61)) * refactor mailer client wiring and add validation wrapper ([#2130](#2130)) ([68c40a6](68c40a6)) * support multiple `aud` for the external providers ([#2117](#2117)) ([ca5792e](ca5792e)) * use `slices.Contains` instead of for loops ([#2111](#2111)) ([9f22682](9f22682)) ### Bug Fixes * add `id-token` permission to ci ([#2143](#2143)) ([79209c0](79209c0)) * add missing param ([#2125](#2125)) ([c0b75f6](c0b75f6)) * change s3 artifact upload role ([#2145](#2145)) ([767e371](767e371)) * remove requirement of empty content-type on 204 ([#2128](#2128)) ([ecc97e0](ecc97e0)) * run release-please again ([#2144](#2144)) ([2560f14](2560f14)) * stripped binary now includes version ([#2147](#2147)) ([609f169](609f169)) * update copyright year in LICENSE ([#2142](#2142)) ([67fe0b0](67fe0b0)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
cemalkilic
added a commit
that referenced
this pull request
Sep 1, 2025
# Summary This PR implements the OAuth 2.1 authorization endpoint in Supabase Auth, completing the server-side OAuth flow by adding user authorization and consent management. Building on the OAuth client registration foundation (#2098), this enables Supabase Auth to function as an OAuth 2.1 authorization server. # Features Added ## Authorization Flow Endpoints - **Authorization Initiation** (`GET /oauth/authorize`) - Initiates OAuth 2.1 authorization code flow with PKCE support and redirects user to (for now) pre-configured url - **Authorization Details** (`GET /oauth/authorizations/{authorization_id}`) - Retrieves authorization request details for consent UI - **Consent Processing** (`POST /oauth/authorizations/{authorization_id}/consent`) - Handles user consent decisions (approve/deny) ## Authorization Management - **PKCE Enforcement** - Mandatory PKCE (RFC 7636) with S256/Plain support for OAuth 2.1 compliance - **User Consent Tracking** - Persistent consent storage with scope-based auto-approval for trusted clients - **State Management** - Complete authorization lifecycle management (pending → approved/denied/expired) - **Security Controls** - Authorization expiration, redirect URI validation # Technical Implementation ## Database Schema - New `oauth_authorizations` table for authorization requests with status tracking - New `oauth_consents` table for persistent user consent management - Enhanced enums for authorization status and response types - Comprehensive indexing for performance and cleanup operations ## Code Organization - Extended `internal/api/oauthserver` package with authorization flow handlers - New models: `OAuthServerAuthorization`, `OAuthServerConsent`, and scope utilities - Shared PKCE utilities extracted to `internal/models/pkce.go` for reuse - Context utilities moved to `internal/api/shared` to avoid circular dependencies # Future Work - **Integration Tests** - Add comprehensive integration tests for authorization flow handlers - **Audit Logging** - Enhanced audit logging for authorization decisions and consent management - **Scope Enforcement** - Currently scope handling provides future extensibility without active enforcement/utilization
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements OAuth2 client support in Supabase Auth, enabling applications to register OAuth clients programmatically. This is a foundational step toward full OAuth 2.1 server compliance.
Features Added
Client Registration Endpoints
Client Management Endpoints
Notes on Technical Implementation
Database Schema
oauth_clientstableCode Organization
internal/api/oauthserverpackage for OAuth server functionality. This package aimed to include all oauth server code. Note that Supabase Auth as of today is already a OAuth client to other OAuth Providers (i.e google)internal/api/sharedto avoid circular dependencies. Planning to move the necessary code as we go. Started withsendJSONfunction.Quick Test
Register a new OAuth client:
curl -X POST http://localhost:9999/oauth/clients/register \ -H "Content-Type: application/json" \ -d '{ "client_name": "My App", "redirect_uris": ["https://myapp.example.com/callback"] }'Important Note
There is no breaking change in this PR. This is purely additive functionality that doesn't affect existing authentication flows.