19453720722

Committed 18 Nov 2025 04:05AM UTC coverage: 68.358% (-0.04%) from 68.402%

Build # 19453720722

Build Type

push

github

Committed by

web-flow

Commit Message

feat(oauthserver): add OpenID Connect support (#2250)

## Summary

Adds OpenID Connect (OIDC) support to Supabase Auth's OAuth 2.1 server.
This implementation generates ID tokens for OAuth authorization code
flows and provides the required OIDC discovery and `UserInfo` endpoints.

## Changes

  ### 1. ID Token Generation
  - Added `IDTokenClaims` struct with OIDC standard claims
  - Implemented `GenerateIDToken()` function that creates JWT ID tokens
  - ID tokens include:
- Standard claims: `sub`, `iss`, `aud`, `exp`, `iat`, `auth_time`,
`nonce`
- Profile claims: `email`, `email_verified`, `phone_number`,
`phone_number_verified`, `name`, `picture`, `preferred_username`,
`updated_at`
  - ID tokens expire in 1 hour
  - Updated `AccessTokenResponse` to include `id_token` field

  ### 2. Nonce Parameter Support
- Added `nonce` field to authorization flow for replay attack prevention
  - Captured from authorization request query parameter
  - Stored in `oauth_authorizations` table
  - Included in ID token claims per OIDC spec

  ### 3. Unified Discovery Endpoint
- Enhanced `/.well-known/openid-configuration` with complete OIDC
metadata
- Merged OAuth Authorization Server Metadata (RFC 8414) with OIDC
Discovery
  - Both endpoints now use the same unified handler:
    - `GET /.well-known/openid-configuration` (OIDC Discovery)
    - `GET /.well-known/oauth-authorization-server` (RFC 8414)
- Response includes: supported algorithms, grant types, response types,
claims, PKCE methods

  ### 4. UserInfo Endpoint
  - Implemented `GET /oauth/userinfo` per OIDC Core Section 5.3
- Protected by Bearer token authentication via `requireAuthentication`
middleware
  - Returns complete user profile including:
    - Mandatory `sub` claim (user ID)
    - User metadata, app metadata, identities, factors, timestamps

  ### 5. Database Migration
  - Adds `nonce` column to `oauth_authorizations` table (nullable text)
  - Includes check constraint limiting nonce to 255 characters
... (continued)

Run Details

156 of 281 new or added lines in 11 files covered. (55.52%)

1 existing line in 1 file now uncovered.

14351 of 20994 relevant lines covered (68.36%)

77.73 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

76.92

/internal/api/shared/context.go

supabase / auth / 19453720722

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous