supabase / auth / 17444800289

push

github

feat: add OAuth client type (#2152)

## Summary
Add OAuth 2.1 client type support (public vs confidential) to enable
proper client authentication for MCP integrations and lay the foundation
for the upcoming token endpoint implementation.

## Why This Matters
- MCP Integration: Some MCP clients don't provide client secrets in
/token requests. We need to know which clients require secrets vs
PKCE-only authentication.
- OAuth 2.1 Compliance: Proper distinction between public clients (SPAs,
mobile apps) and confidential clients (server apps) as required by the
spec.
- Token Endpoint Foundation: This client authentication logic will be
essential for the upcoming /token endpoint implementation to handle
different client types correctly.

## Key Changes
### Database
- Added client_type enum ('public', 'confidential') to oauth_clients
table
- Made client_secret_hash nullable for public clients
- Default: 'confidential' for security

### OAuth Client Registration
- Support token_endpoint_auth_method parameter in registration
- Auto-infer client type: `none` → public, `client_secret_*` →
confidential
- Priority: explicit client_type > inferred from auth method > default
confidential

### Authentication Logic
- Public clients: No client secret required, use PKCE
- Confidential clients: Client secret required
- Updated middleware to enforce type-specific authentication rules
- Foundation for /token endpoint: Centralized client auth functions
ready for token exchange implementation

116 of 142 new or added lines in 6 files covered. (81.69%)

12630 of 18358 relevant lines covered (68.8%)

66.75 hits per line