supabase / auth / 17648046512

69%

Build Type

push

github

Committed by web-flow

Commit Message

feat(oauth2): add `/oauth/token` endpoint (#2159)

## Summary
This PR completes the OAuth2 server implementation by adding the
`/token` endpoint, enabling full OAuth2 authorization code flow &
refresh token support.

## Key Features Added:
### OAuth Token Endpoint (POST /oauth/token) supporting:
- `authorization_code` grant type for exchanging authorization codes for
access
- refresh_token grant type for token refresh
- Both JSON and form-encoded request bodies
- OAuth Client authentication via Basic auth or request body parameters
(form params and JSON body)

### Token Service Integration:
- Integrated OAuth server with the existing token service
- Added OAuth-specific authentication method
(`oauth_provider/authorization_code`)
- Enhanced token generation to include OAuth client context in JWT
claims.

## Database Changes:
- Added `oauth_client_id` field to `sessions` table for OAuth client
tracking. So an OAuth clients can use a refresh token only if the
session is issued for them. Similarly, a session issued to a client can
only be refreshed by that client (i.e user can't use
`/token?grant_type=refresh_token` endpoint with a refresh token obtained
through `/oauth/token` endpoint.)

## Next Steps
- Adding ratelimit for the `/token` endpoint
- Store token auth method for oauth clients in the database

Run Details

88 of 303 new or added lines in 13 files covered. (29.04%)

13 existing lines in 2 files now uncovered.

12630 of 18589 relevant lines covered (67.94%)

65.72 hits per line