supabase / auth

69%

LAST BUILD ON BRANCH master

branch: SELECT

CHANGE BRANCH

x

Sync Branches

• No branch selected
• add-max-length-check-for-email
• bo/docs/readme-code-syntax
• bugfix/bootstrapping
• cemal/add-checksums-to-release-notes
• cemal/audit-log-stdout
• cemal/audit-logs-prevent-only-writing-postgres
• cemal/ci-fix-yaml-syntax-error
• cemal/enhance-record-login-calls
• cemal/facebook-limited-login-support
• cemal/feat-add-oauth-authorize-endpoint
• cemal/feat-add-well-known-oauth-auth-server
• cemal/feat-facebook-limited-login-skip-nonce-check
• cemal/feat-redirect-url-v2
• cemal/feat-support-multiple-aud
• cemal/feat-update-docker-compose-dev
• cemal/fix-add-missing-param
• cemal/fix-info-log-on-http-server-close
• cemal/fix-provider-info-signup-audit
• cemal/oauth-provider-client
• cemal/refactor-token-service
• chore-fix-link-to-netlify-gotrue
• chore/harden-runners
• chore/testing
• chore/update-workflow-check-commits
• cleanup-ci
• cs/api-errorcodes-refactor
• cs/auth-sso-resource-id-support
• cs/background-template-reloading
• cs/background-template-reloading-p2
• cs/bug-fix-send-email-hook
• cs/chore-apitask-tests
• cs/chore-gosec-fixes
• cs/conf-coverage
• cs/e2e
• cs/feat-background-workers
• cs/feat-config-reloader
• cs/feat-email-and-sms-rate-limiting
• cs/feat-mailer-cleanup-p1
• cs/feat-mailer-logging
• cs/feat-makefile-qol
• cs/feat-rate-limiter-persistence
• cs/feat-validate-email-address
• cs/fix-rate-limit-zero-value-test
• cs/fix-respect-rate-limit-zero
• cs/hooks-content-negotiation-fix
• cs/hooks-p1
• cs/hooks-p2
• cs/hooks-p3
• cs/hooks-p4
• cs/hooks-pr5-opt1
• cs/hooks-pr5-opt2
• cs/hooks-refactor-apierrors
• cs/hooks-test-coverage
• cs/invite-fix
• cs/mailer-refactor-p1
• cs/master-fix-missing-error-propagation
• cs/maxconn-fix-1
• cs/rate-limit-otp-clarity
• cs/rate-limit-refactor
• cs/reduce-artifact-sizes
• cs/reload-coverage
• cs/reloader-allow-invalid-config-dir
• cs/revert-1974
• cs/update-godotenv
• cs/v1hooks
• dependabot/go_modules/github.com/getkin/kin-openapi-0.131.0
• dependabot/go_modules/github.com/go-chi/chi/v5-5.2.2
• dependabot/go_modules/github.com/go-jose/go-jose/v3-3.0.4
• dependabot/go_modules/github.com/golang-jwt/jwt/v4-4.5.1
• dependabot/go_modules/github.com/golang-jwt/jwt/v4-4.5.2
• dependabot/go_modules/github.com/golang-jwt/jwt/v5-5.2.2
• dependabot/go_modules/github.com/rs/cors-1.11.0
• dependabot/go_modules/golang.org/x/crypto-0.31.0
• dependabot/go_modules/golang.org/x/net-0.23.0
• dependabot/go_modules/golang.org/x/net-0.36.0
• dependabot/go_modules/golang.org/x/net-0.38.0
• dependabot/go_modules/golang.org/x/oauth2-0.27.0
• development
• docs-anon-login-configs
• docs/remove-unused-env-var
• esinx-naver-provider
• feat-slack-oauth-v2
• feat/min-jwt
• feat/mx-blocklist
• feat/solana-ledger
• feat_docker_compose_and_go
• feature/snapchat-oauth
• figma-auth
• fix--oauth-redirect-parsing
• fix-binary-name
• fix-contributing-md
• fix-magiclink-requiredchars
• fix/update-sanitize-signup
• fix_contributing_typo
• hf/aao-in-send-email
• hf/add-audit-log-disable-postgres
• hf/add-authorized-email-addresses
• hf/add-azure-ciam
• hf/add-exhaustive
• hf/add-magic-link-disable-toggle
• hf/add-max-idle-time
• hf/add-one-time-tokens
• hf/add-support-for-argon2
• hf/adjust-required-claims-in-auth-hooks
• hf/artifact-bucket
• hf/azure-overage-include-api-version
• hf/bump-saml-0-5-1
• hf/captcha-parsing-fix
• hf/change-s3-role
• hf/chore-fix-gha-perms
• hf/chore-release-as-2-165-2
• hf/ci-alpine-3
• hf/ci-dogofooding-checks-on-release
• hf/ci-fast-release-tarball
• hf/ci-fix-binary-version-docker
• hf/ci-fix-coverage-metering
• hf/ci-fix-dogfooding
• hf/ci-fix-dogfooding-take-2
• hf/cover-crypto-100
• hf/email-less-accounts-with-oauth
• hf/email-rate-limiting-new-config
• hf/encrypt-sensitive-columns
• hf/encrypted-password-pointer
• hf/experimental-provider-linking-domains
• hf/external-host-validation
• hf/fail-empty-address
• hf/fallback-to-jwt-secret-if-unknown-kid
• hf/feat-bump-new-version
• hf/feat-embedded-migrations
• hf/fix-apple-oidc-issuer-change
• hf/fix-argon2
• hf/fix-authenticate-empty-string
• hf/fix-azure-large-groups
• hf/fix-claim-overages-json-azure
• hf/fix-coveralls-image
• hf/fix-custom-sms-twilio-verify
• hf/fix-expose-x-supabase-api-version-header-in-cors
• hf/fix-id-token-permission
• hf/fix-idempotent-logout
• hf/fix-identity-email-verified
• hf/fix-local-dockerfile
• hf/fix-mail-headers
• hf/fix-mfa-config-backward-compatibility
• hf/fix-new-oidc-provider-apple
• hf/fix-redirect-ip-address
• hf/fix-secret-api-key-ignore-aud-claim
• hf/fix-solana-localhost
• hf/fix-strip-version
• hf/fix-supafast
• hf/fix-timeout-writer
• hf/fix-write-header
• hf/fix-write-header-deadlock
• hf/gomft
• hf/hook-log
• hf/inline-mailme
• hf/limit-low-aal-sessions
• hf/link-identity-oidc
• hf/log-json-error-response
• hf/mail-headers
• hf/merge-metadata
• hf/move-email-sms-send-out-of-update-user-transaction
• hf/phase-ii-ott
• hf/remove-data-migrations
• hf/revert-azure-claim-overages
• hf/saml-array-values
• hf/saml-encrypted-assertions
• hf/saml-specific-external-url
• hf/separate-web3-rate-limits-from-other-token
• hf/skip-apple-issuer-check-oidc
• hf/snap
• hf/split-words-audit-log
• hf/supafast-tarball
• hf/test-release
• hf/try-to-run-release-please-again
• hf/ubuntu-latest
• hf/upload-artifacts-to-s3
• hf/use-redirect-url
• hf/vercel-global-user-id
• hf/x-sb-error-code
• j0/accurately_affect_max_frequency_limit
• j0/add_additional_info_around_mime_type_error
• j0/add_context_to_load_factor
• j0/add_custom_email_sender_hook
• j0/add_has_factor_claim
• j0/add_hook_trigger_logic
• j0/add_last_challenged_at
• j0/add_mfa_phone_openapi_spec
• j0/add_mfa_sms
• j0/add_scrypt_password_hash
• j0/add_timeout_middleware
• j0/add_token_for_non_secure_email_change
• j0/add_twilio_verify_support_for_mfa_phone
• j0/add_webauthn
• j0/add_webauthn_config
• j0/adjust_mfa_status_codes
• j0/allow_kong_and_edge_functions
• j0/allow_only_one_phone_factor
• j0/allow_postgres_and_http_on_extensibility_point
• j0/backport_auth_namespace_to_enums
• j0/change_mfa_error_code
• j0/check_for_phone_identity_on_phone_chang
• j0/custom_email_hook
• j0/deprecate_mfa_enabled_config
• j0/drop_uniqueness_constraint_on_mfa_phone
• j0/fido2_authenticator_challenge_verify_model
• j0/fix_email_change_with_phone_auth
• j0/fix_migration_idempotent_phone_cnfig
• j0/fix_rc_duplicate_identifier
• j0/fixes_while_testing
• j0/forbid_access_token_issuance_without_session
• j0/hide_hook_name
• j0/merge_aal_and_amr_update
• j0/mfa_refactor_load_factor
• j0/minor_speling_error
• j0/move_totp_mfa_to_dedicated_fn
• j0/move_verification_into_mailer_package
• j0/patch_secure_email_change
• j0/phone_mfa_refactors
• j0/prevent_panic_on_email_change
• j0/publish_to_ghcr
• j0/refactor_generate_access_token
• j0/refactor_generate_access_token_to_accept_request
• j0/remove_deprecated_code
• j0/remove_find_factors_by_user
• j0/remove_find_session_by_id
• j0/remove_set_cookie_tokens
• j0/remove_totp_field_for_phone_response
• j0/rename_to_send_sms
• j0/require_appropriate_aal_for_pw_update
• j0/return_factor_type_in_challenge
• j0/send_over_user_in_send_sms_hook
• j0/update_auth_functions
• j0/update_error_code_id_token
• j0/update_hook_schema
• j0/update_mfa_error_message
• j0/update_openapi_schema
• j0/update_openapi_spec
• j0/update_phone_admin_methods
• j0/upgrade-contrib-docs
• j0/upgrade_go_version
• j0/upgrade_otel_deps
• j0/validate_send_email
• j0/webauthn_fixes
• janek/signup-identities-email-verified
• km/add-error-codes
• km/add-error-codes-password-login
• km/add-ip-based-limits
• km/add-saml-tests
• km/alter-auth-uid
• km/bump-alpine-go
• km/check-empty-aud
• km/chore-remove-unused-hook-outputs
• km/cleanup-anonymous-users
• km/feat-asymmetric-jwt-support
• km/fix-admin-update-user
• km/fix-amr-mfa
• km/fix-anonymous-user-linking
• km/fix-attribute-mapping
• km/fix-auth-hook-error
• km/fix-auth-hooks
• km/fix-authorized-emails
• km/fix-authorized-middleware-check
• km/fix-cleanup-logging
• km/fix-context-cancellation
• km/fix-custom-sms-hook-config
• km/fix-email-verified
• km/fix-enable-rls
• km/fix-external-state
• km/fix-figma
• km/fix-ignore-rate-limits-for-autoconfirm
• km/fix-improve-session-error
• km/fix-jwt
• km/fix-linkedin-oidc-issuer
• km/fix-logging
• km/fix-mailer-config
• km/fix-max-password-length-error
• km/fix-mfa-factors-index
• km/fix-panic-logout
• km/fix-panic-refresh-token
• km/fix-pkce-verify-post
• km/fix-rate-limit-log-level
• km/fix-return-error-code
• km/fix-saml-assertion
• km/fix-search-path
• km/fix-serve
• km/fix-shared-limiter
• km/fix-signup-generate-link
• km/fix-signup-verify
• km/fix-timeout-write-header
• km/fix-update-attribute-mapping
• km/fix-update-phone
• km/fix-update-user
• km/fix-update-user-email
• km/fix-update-user-phone-change
• km/fix-use-factor-id
• km/format-test-otps
• km/hotfix-jwt-aud
• km/improve-logging
• km/improve-mfa-verify-logs
• km/improve-saml-logging
• km/improve-token-oidc-logging
• km/inactivity-session-bug
• km/normalise-emails
• km/phase-iii-ott
• km/redirect-invalid-state
• km/ref-retrieve-request-params
• km/remove-unused-args
• km/return-identity
• km/return-session-not-found-error
• km/update-admin-create-user
• km/update-chi-version
• km/update-ci
• km/update-error-message
• km/update-golang-jwt
• km/update-mailme
• km/update-oapi
• km/v2.157.1
• master
• omerhochman/fix-linkedin-iodc-error
• optional_2fa
• or/fallback-on-btree-when-hash-unavailable
• or/test-twitter-oauth
• patch-1
• push-wnvwkqmwrrtk
• refs/tags/rc2.170.0-rc.10
• release-please--branches--master
• release/2.165.0
• remove-instance-id-queries
• remove-redundant-method-hookuri-param
• revert-1534-omerhochman/fix-linkedin-iodc-error
• revert-1616-km/alter-auth-uid
• revert-1812-hf/artifact-bucket
• revert-1856-or/fallback-on-btree-when-hash-unavailable
• revert-1858-revert-1856-or/fallback-on-btree-when-hash-unavailable
• sam/packaged-auth
• simplify-request-tracing-middleware-setup-logic
• single-source-of-truth-for-waitforcleanup
• siwe-implementation
• snyk-fix-0720ecd3bfe1e766e52214a3bbab15f5
• update-docker-container-name
• update-md-for-resend-endpont
• vercel-marketplace-oidc

Build # 17383331724

Build Type

push

github

Committed by web-flow

Commit Message

feat: implement OAuth2 authorization endpoint (#2107)

# Summary

This PR implements the OAuth 2.1 authorization endpoint in Supabase
Auth, completing the server-side OAuth flow by adding user authorization
and consent management. Building on the OAuth client registration
foundation (#2098), this enables Supabase Auth to function as an OAuth
2.1 authorization server.

# Features Added
## Authorization Flow Endpoints

- **Authorization Initiation** (`GET /oauth/authorize`) - Initiates
OAuth 2.1 authorization code flow with PKCE support and redirects user
to (for now) pre-configured url
- **Authorization Details** (`GET
/oauth/authorizations/{authorization_id}`) - Retrieves authorization
request details for consent UI
- **Consent Processing** (`POST
/oauth/authorizations/{authorization_id}/consent`) - Handles user
consent decisions (approve/deny)

## Authorization Management

- **PKCE Enforcement** - Mandatory PKCE (RFC 7636) with S256/Plain
support for OAuth 2.1 compliance
- **User Consent Tracking** - Persistent consent storage with
scope-based auto-approval for trusted clients
- **State Management** - Complete authorization lifecycle management
(pending → approved/denied/expired)
- **Security Controls** - Authorization expiration, redirect URI
validation

# Technical Implementation
## Database Schema

- New `oauth_authorizations` table for authorization requests with
status tracking
- New `oauth_consents` table for persistent user consent management  
- Enhanced enums for authorization status and response types
- Comprehensive indexing for performance and cleanup operations

## Code Organization

- Extended `internal/api/oauthserver` package with authorization flow
handlers
- New models: `OAuthServerAuthorization`, `OAuthServerConsent`, and
scope utilities
- Shared PKCE utilities extracted to `internal/models/pkce.go` for reuse
- Context utilities moved to `internal/api/shared` to avoid circular
dependencies

# Future Work

- **Integration Tests** - ... (continued)

Run Details

205 of 785 new or added lines in 12 files covered. (26.11%)

12537 of 18247 relevant lines covered (68.71%)

67.13 hits per line