supabase / auth / 21214177698

69%

Build Type

push

github

Committed by web-flow

Commit Message

feat(oauth-server): store and enforce token_endpoint_auth_method (#2300)

## Problem

I noticed there was a TODO for storing the `token_endpoint_auth_method`
value. While integrating with Claude.ai's OAuth flow, we discovered that
returning `client_secret_basic` for all clients (regardless of their
actual registration) was breaking the authentication flow. Claude.ai
strictly validates the auth method returned during client registration,
so it was critical for us to return the correct value.

Per [RFC 7591 Section
2](https://datatracker.ietf.org/doc/html/rfc7591#section-2):

> If unspecified or omitted, the default is "client_secret_basic"

For public clients, the default is `none` since they don't have a client
secret.

## Solution

Added proper storage and enforcement of `token_endpoint_auth_method`:

### Database Changes
- Added `token_endpoint_auth_method` TEXT column (NOT NULL) to
`oauth_clients` table
- Migration sets default values for existing clients based on their
`client_type`:
  - `confidential` → `client_secret_basic`
  - `public` → `none`

### Behavior
- New clients get `token_endpoint_auth_method` persisted during
registration
- Token endpoint validates that the authentication method used matches
the registered method
- Returns the correct `token_endpoint_auth_method` in client
registration responses

---------

Signed-off-by: Pierre Dulac <dulacpier@gmail.com>
Signed-off-by: Pierre Dulac <pierre@entropia.io>
Co-authored-by: Cemal Kılıç <cemalkilic@users.noreply.github.com>

Run Details

38 of 78 new or added lines in 6 files covered. (48.72%)

1 existing line in 1 file now uncovered.

14847 of 21570 relevant lines covered (68.83%)

79.64 hits per line