supabase / auth / 19453720722
69%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 168
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 68.358% (-0.04%) from 68.402%
19453720722

push

github

web-flow 
feat(oauthserver): add OpenID Connect support (#2250)

## Summary

Adds OpenID Connect (OIDC) support to Supabase Auth's OAuth 2.1 server.
This implementation generates ID tokens for OAuth authorization code
flows and provides the required OIDC discovery and `UserInfo` endpoints.

## Changes

  ### 1. ID Token Generation
  - Added `IDTokenClaims` struct with OIDC standard claims
  - Implemented `GenerateIDToken()` function that creates JWT ID tokens
  - ID tokens include:
- Standard claims: `sub`, `iss`, `aud`, `exp`, `iat`, `auth_time`,
`nonce`
- Profile claims: `email`, `email_verified`, `phone_number`,
`phone_number_verified`, `name`, `picture`, `preferred_username`,
`updated_at`
  - ID tokens expire in 1 hour
  - Updated `AccessTokenResponse` to include `id_token` field

  ### 2. Nonce Parameter Support
- Added `nonce` field to authorization flow for replay attack prevention
  - Captured from authorization request query parameter
  - Stored in `oauth_authorizations` table
  - Included in ID token claims per OIDC spec

  ### 3. Unified Discovery Endpoint
- Enhanced `/.well-known/openid-configuration` with complete OIDC
metadata
- Merged OAuth Authorization Server Metadata (RFC 8414) with OIDC
Discovery
  - Both endpoints now use the same unified handler:
    - `GET /.well-known/openid-configuration` (OIDC Discovery)
    - `GET /.well-known/oauth-authorization-server` (RFC 8414)
- Response includes: supported algorithms, grant types, response types,
claims, PKCE methods

  ### 4. UserInfo Endpoint
  - Implemented `GET /oauth/userinfo` per OIDC Core Section 5.3
- Protected by Bearer token authentication via `requireAuthentication`
middleware
  - Returns complete user profile including:
    - Mandatory `sub` claim (user ID)
    - User metadata, app metadata, identities, factors, timestamps

  ### 5. Database Migration
  - Adds `nonce` column to `oauth_authorizations` table (nullable text)
  - Includes check constraint limiting nonce to 255 characters
... (continued)

156 of 281 new or added lines in 11 files covered. (55.52%)

1 existing line in 1 file now uncovered.

14351 of 20994 relevant lines covered (68.36%)

77.73 hits per line

New Missed Lines in Diff

Lines Coverage File
2
76.92
 2.85% internal/api/shared/context.go
2
69.49
 -0.94% internal/models/refresh_token.go
3
78.71
 -0.54% internal/models/sessions.go
18
3.0
 -0.14% internal/api/oauthserver/authorize.go
19
81.23
 -0.19% internal/tokens/service.go
33
47.64
 6.41% internal/api/oauthserver/handlers.go
48
18.46
 -33.71% internal/api/jwks.go

Uncovered Existing Lines

Lines Coverage File
1
47.64
 6.41% internal/api/oauthserver/handlers.go
Jobs
ID Job ID Ran Files Coverage
1 19453720722.1 168
68.36
 GitHub Action Run
Source Files on build 19453720722