• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

supabase / auth
69%

Build:
DEFAULT BRANCH: master
Repo Added 27 Mar 2024 06:02AM UTC
Token 4bwRC3LZFPF44ZxCFKL8wNnCqKD2BNicB regen
Build 1080 Last
Files 161
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH master
branch: SELECT
CHANGE BRANCH
x
Sync Branches
  • No branch selected
  • add-max-length-check-for-email
  • bo/docs/readme-code-syntax
  • bugfix/bootstrapping
  • cemal/add-checksums-to-release-notes
  • cemal/audit-log-stdout
  • cemal/audit-logs-prevent-only-writing-postgres
  • cemal/ci-fix-yaml-syntax-error
  • cemal/enhance-record-login-calls
  • cemal/facebook-limited-login-support
  • cemal/feat-add-oauth-authorize-endpoint
  • cemal/feat-add-well-known-oauth-auth-server
  • cemal/feat-facebook-limited-login-skip-nonce-check
  • cemal/feat-redirect-url-v2
  • cemal/feat-support-multiple-aud
  • cemal/feat-update-docker-compose-dev
  • cemal/fix-add-missing-param
  • cemal/fix-info-log-on-http-server-close
  • cemal/fix-provider-info-signup-audit
  • cemal/oauth-provider-client
  • cemal/refactor-token-service
  • chore-fix-link-to-netlify-gotrue
  • chore/harden-runners
  • chore/testing
  • chore/update-workflow-check-commits
  • cleanup-ci
  • cs/api-errorcodes-refactor
  • cs/auth-sso-resource-id-support
  • cs/background-template-reloading
  • cs/background-template-reloading-p2
  • cs/bug-fix-send-email-hook
  • cs/chore-apitask-tests
  • cs/chore-gosec-fixes
  • cs/conf-coverage
  • cs/e2e
  • cs/feat-background-workers
  • cs/feat-config-reloader
  • cs/feat-email-and-sms-rate-limiting
  • cs/feat-mailer-cleanup-p1
  • cs/feat-mailer-logging
  • cs/feat-makefile-qol
  • cs/feat-rate-limiter-persistence
  • cs/feat-validate-email-address
  • cs/fix-rate-limit-zero-value-test
  • cs/fix-respect-rate-limit-zero
  • cs/hooks-content-negotiation-fix
  • cs/hooks-p1
  • cs/hooks-p2
  • cs/hooks-p3
  • cs/hooks-p4
  • cs/hooks-pr5-opt1
  • cs/hooks-pr5-opt2
  • cs/hooks-refactor-apierrors
  • cs/hooks-test-coverage
  • cs/invite-fix
  • cs/mailer-refactor-p1
  • cs/master-fix-missing-error-propagation
  • cs/maxconn-fix-1
  • cs/rate-limit-otp-clarity
  • cs/rate-limit-refactor
  • cs/reduce-artifact-sizes
  • cs/reload-coverage
  • cs/reloader-allow-invalid-config-dir
  • cs/revert-1974
  • cs/update-godotenv
  • cs/v1hooks
  • dependabot/go_modules/github.com/getkin/kin-openapi-0.131.0
  • dependabot/go_modules/github.com/go-chi/chi/v5-5.2.2
  • dependabot/go_modules/github.com/go-jose/go-jose/v3-3.0.4
  • dependabot/go_modules/github.com/golang-jwt/jwt/v4-4.5.1
  • dependabot/go_modules/github.com/golang-jwt/jwt/v4-4.5.2
  • dependabot/go_modules/github.com/golang-jwt/jwt/v5-5.2.2
  • dependabot/go_modules/github.com/rs/cors-1.11.0
  • dependabot/go_modules/golang.org/x/crypto-0.31.0
  • dependabot/go_modules/golang.org/x/net-0.23.0
  • dependabot/go_modules/golang.org/x/net-0.36.0
  • dependabot/go_modules/golang.org/x/net-0.38.0
  • dependabot/go_modules/golang.org/x/oauth2-0.27.0
  • development
  • docs-anon-login-configs
  • docs/remove-unused-env-var
  • esinx-naver-provider
  • feat-slack-oauth-v2
  • feat/min-jwt
  • feat/mx-blocklist
  • feat/solana-ledger
  • feat_docker_compose_and_go
  • feature/snapchat-oauth
  • figma-auth
  • fix--oauth-redirect-parsing
  • fix-binary-name
  • fix-contributing-md
  • fix-magiclink-requiredchars
  • fix/update-sanitize-signup
  • fix_contributing_typo
  • hf/aao-in-send-email
  • hf/add-audit-log-disable-postgres
  • hf/add-authorized-email-addresses
  • hf/add-azure-ciam
  • hf/add-exhaustive
  • hf/add-magic-link-disable-toggle
  • hf/add-max-idle-time
  • hf/add-one-time-tokens
  • hf/add-support-for-argon2
  • hf/adjust-required-claims-in-auth-hooks
  • hf/artifact-bucket
  • hf/azure-overage-include-api-version
  • hf/bump-saml-0-5-1
  • hf/captcha-parsing-fix
  • hf/change-s3-role
  • hf/chore-fix-gha-perms
  • hf/chore-release-as-2-165-2
  • hf/ci-alpine-3
  • hf/ci-dogofooding-checks-on-release
  • hf/ci-fast-release-tarball
  • hf/ci-fix-binary-version-docker
  • hf/ci-fix-coverage-metering
  • hf/ci-fix-dogfooding
  • hf/ci-fix-dogfooding-take-2
  • hf/cover-crypto-100
  • hf/email-less-accounts-with-oauth
  • hf/email-rate-limiting-new-config
  • hf/encrypt-sensitive-columns
  • hf/encrypted-password-pointer
  • hf/experimental-provider-linking-domains
  • hf/external-host-validation
  • hf/fail-empty-address
  • hf/fallback-to-jwt-secret-if-unknown-kid
  • hf/feat-bump-new-version
  • hf/feat-embedded-migrations
  • hf/fix-apple-oidc-issuer-change
  • hf/fix-argon2
  • hf/fix-authenticate-empty-string
  • hf/fix-azure-large-groups
  • hf/fix-claim-overages-json-azure
  • hf/fix-coveralls-image
  • hf/fix-custom-sms-twilio-verify
  • hf/fix-expose-x-supabase-api-version-header-in-cors
  • hf/fix-id-token-permission
  • hf/fix-idempotent-logout
  • hf/fix-identity-email-verified
  • hf/fix-local-dockerfile
  • hf/fix-mail-headers
  • hf/fix-mfa-config-backward-compatibility
  • hf/fix-new-oidc-provider-apple
  • hf/fix-redirect-ip-address
  • hf/fix-secret-api-key-ignore-aud-claim
  • hf/fix-solana-localhost
  • hf/fix-strip-version
  • hf/fix-supafast
  • hf/fix-timeout-writer
  • hf/fix-write-header
  • hf/fix-write-header-deadlock
  • hf/gomft
  • hf/hook-log
  • hf/inline-mailme
  • hf/limit-low-aal-sessions
  • hf/link-identity-oidc
  • hf/log-json-error-response
  • hf/mail-headers
  • hf/merge-metadata
  • hf/move-email-sms-send-out-of-update-user-transaction
  • hf/phase-ii-ott
  • hf/remove-data-migrations
  • hf/revert-azure-claim-overages
  • hf/saml-array-values
  • hf/saml-encrypted-assertions
  • hf/saml-specific-external-url
  • hf/separate-web3-rate-limits-from-other-token
  • hf/skip-apple-issuer-check-oidc
  • hf/snap
  • hf/split-words-audit-log
  • hf/supafast-tarball
  • hf/test-release
  • hf/try-to-run-release-please-again
  • hf/ubuntu-latest
  • hf/upload-artifacts-to-s3
  • hf/use-redirect-url
  • hf/vercel-global-user-id
  • hf/x-sb-error-code
  • j0/accurately_affect_max_frequency_limit
  • j0/add_additional_info_around_mime_type_error
  • j0/add_context_to_load_factor
  • j0/add_custom_email_sender_hook
  • j0/add_has_factor_claim
  • j0/add_hook_trigger_logic
  • j0/add_last_challenged_at
  • j0/add_mfa_phone_openapi_spec
  • j0/add_mfa_sms
  • j0/add_scrypt_password_hash
  • j0/add_timeout_middleware
  • j0/add_token_for_non_secure_email_change
  • j0/add_twilio_verify_support_for_mfa_phone
  • j0/add_webauthn
  • j0/add_webauthn_config
  • j0/adjust_mfa_status_codes
  • j0/allow_kong_and_edge_functions
  • j0/allow_only_one_phone_factor
  • j0/allow_postgres_and_http_on_extensibility_point
  • j0/backport_auth_namespace_to_enums
  • j0/change_mfa_error_code
  • j0/check_for_phone_identity_on_phone_chang
  • j0/custom_email_hook
  • j0/deprecate_mfa_enabled_config
  • j0/drop_uniqueness_constraint_on_mfa_phone
  • j0/fido2_authenticator_challenge_verify_model
  • j0/fix_email_change_with_phone_auth
  • j0/fix_migration_idempotent_phone_cnfig
  • j0/fix_rc_duplicate_identifier
  • j0/fixes_while_testing
  • j0/forbid_access_token_issuance_without_session
  • j0/hide_hook_name
  • j0/merge_aal_and_amr_update
  • j0/mfa_refactor_load_factor
  • j0/minor_speling_error
  • j0/move_totp_mfa_to_dedicated_fn
  • j0/move_verification_into_mailer_package
  • j0/patch_secure_email_change
  • j0/phone_mfa_refactors
  • j0/prevent_panic_on_email_change
  • j0/publish_to_ghcr
  • j0/refactor_generate_access_token
  • j0/refactor_generate_access_token_to_accept_request
  • j0/remove_deprecated_code
  • j0/remove_find_factors_by_user
  • j0/remove_find_session_by_id
  • j0/remove_set_cookie_tokens
  • j0/remove_totp_field_for_phone_response
  • j0/rename_to_send_sms
  • j0/require_appropriate_aal_for_pw_update
  • j0/return_factor_type_in_challenge
  • j0/send_over_user_in_send_sms_hook
  • j0/update_auth_functions
  • j0/update_error_code_id_token
  • j0/update_hook_schema
  • j0/update_mfa_error_message
  • j0/update_openapi_schema
  • j0/update_openapi_spec
  • j0/update_phone_admin_methods
  • j0/upgrade-contrib-docs
  • j0/upgrade_go_version
  • j0/upgrade_otel_deps
  • j0/validate_send_email
  • j0/webauthn_fixes
  • janek/signup-identities-email-verified
  • km/add-error-codes
  • km/add-error-codes-password-login
  • km/add-ip-based-limits
  • km/add-saml-tests
  • km/alter-auth-uid
  • km/bump-alpine-go
  • km/check-empty-aud
  • km/chore-remove-unused-hook-outputs
  • km/cleanup-anonymous-users
  • km/feat-asymmetric-jwt-support
  • km/fix-admin-update-user
  • km/fix-amr-mfa
  • km/fix-anonymous-user-linking
  • km/fix-attribute-mapping
  • km/fix-auth-hook-error
  • km/fix-auth-hooks
  • km/fix-authorized-emails
  • km/fix-authorized-middleware-check
  • km/fix-cleanup-logging
  • km/fix-context-cancellation
  • km/fix-custom-sms-hook-config
  • km/fix-email-verified
  • km/fix-enable-rls
  • km/fix-external-state
  • km/fix-figma
  • km/fix-ignore-rate-limits-for-autoconfirm
  • km/fix-improve-session-error
  • km/fix-jwt
  • km/fix-linkedin-oidc-issuer
  • km/fix-logging
  • km/fix-mailer-config
  • km/fix-max-password-length-error
  • km/fix-mfa-factors-index
  • km/fix-panic-logout
  • km/fix-panic-refresh-token
  • km/fix-pkce-verify-post
  • km/fix-rate-limit-log-level
  • km/fix-return-error-code
  • km/fix-saml-assertion
  • km/fix-search-path
  • km/fix-serve
  • km/fix-shared-limiter
  • km/fix-signup-generate-link
  • km/fix-signup-verify
  • km/fix-timeout-write-header
  • km/fix-update-attribute-mapping
  • km/fix-update-phone
  • km/fix-update-user
  • km/fix-update-user-email
  • km/fix-update-user-phone-change
  • km/fix-use-factor-id
  • km/format-test-otps
  • km/hotfix-jwt-aud
  • km/improve-logging
  • km/improve-mfa-verify-logs
  • km/improve-saml-logging
  • km/improve-token-oidc-logging
  • km/inactivity-session-bug
  • km/normalise-emails
  • km/phase-iii-ott
  • km/redirect-invalid-state
  • km/ref-retrieve-request-params
  • km/remove-unused-args
  • km/return-identity
  • km/return-session-not-found-error
  • km/update-admin-create-user
  • km/update-chi-version
  • km/update-ci
  • km/update-error-message
  • km/update-golang-jwt
  • km/update-mailme
  • km/update-oapi
  • km/v2.157.1
  • master
  • omerhochman/fix-linkedin-iodc-error
  • optional_2fa
  • or/fallback-on-btree-when-hash-unavailable
  • or/test-twitter-oauth
  • patch-1
  • push-wnvwkqmwrrtk
  • refs/tags/rc2.170.0-rc.10
  • release-please--branches--master
  • release/2.165.0
  • remove-instance-id-queries
  • remove-redundant-method-hookuri-param
  • revert-1534-omerhochman/fix-linkedin-iodc-error
  • revert-1616-km/alter-auth-uid
  • revert-1812-hf/artifact-bucket
  • revert-1856-or/fallback-on-btree-when-hash-unavailable
  • revert-1858-revert-1856-or/fallback-on-btree-when-hash-unavailable
  • sam/packaged-auth
  • simplify-request-tracing-middleware-setup-logic
  • single-source-of-truth-for-waitforcleanup
  • siwe-implementation
  • snyk-fix-0720ecd3bfe1e766e52214a3bbab15f5
  • update-docker-container-name
  • update-md-for-resend-endpont
  • vercel-marketplace-oidc

01 Sep 2025 04:48PM UTC coverage: 68.707% (-2.0%) from 70.664%
17383331724

push

github

web-flow
feat: implement OAuth2 authorization endpoint (#2107)

# Summary

This PR implements the OAuth 2.1 authorization endpoint in Supabase
Auth, completing the server-side OAuth flow by adding user authorization
and consent management. Building on the OAuth client registration
foundation (#2098), this enables Supabase Auth to function as an OAuth
2.1 authorization server.

# Features Added
## Authorization Flow Endpoints

- **Authorization Initiation** (`GET /oauth/authorize`) - Initiates
OAuth 2.1 authorization code flow with PKCE support and redirects user
to (for now) pre-configured url
- **Authorization Details** (`GET
/oauth/authorizations/{authorization_id}`) - Retrieves authorization
request details for consent UI
- **Consent Processing** (`POST
/oauth/authorizations/{authorization_id}/consent`) - Handles user
consent decisions (approve/deny)

## Authorization Management

- **PKCE Enforcement** - Mandatory PKCE (RFC 7636) with S256/Plain
support for OAuth 2.1 compliance
- **User Consent Tracking** - Persistent consent storage with
scope-based auto-approval for trusted clients
- **State Management** - Complete authorization lifecycle management
(pending → approved/denied/expired)
- **Security Controls** - Authorization expiration, redirect URI
validation

# Technical Implementation
## Database Schema

- New `oauth_authorizations` table for authorization requests with
status tracking
- New `oauth_consents` table for persistent user consent management  
- Enhanced enums for authorization status and response types
- Comprehensive indexing for performance and cleanup operations

## Code Organization

- Extended `internal/api/oauthserver` package with authorization flow
handlers
- New models: `OAuthServerAuthorization`, `OAuthServerConsent`, and
scope utilities
- Shared PKCE utilities extracted to `internal/models/pkce.go` for reuse
- Context utilities moved to `internal/api/shared` to avoid circular
dependencies

# Future Work

- **Integration Tests** - ... (continued)

205 of 785 new or added lines in 12 files covered. (26.11%)

12537 of 18247 relevant lines covered (68.71%)

67.13 hits per line

Relevant lines Covered
Build:
Build:
18247 RELEVANT LINES 12537 COVERED LINES
67.13 HITS PER LINE
Source Files on master
  • Tree
  • List 161
  • Changed 5
  • Source Changed 0
  • Coverage Changed 5
Coverage ∆ File Lines Relevant Covered Missed Hits/Line

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
17383331724 master feat: implement OAuth2 authorization endpoint (#2107) # Summary This PR implements the OAuth 2.1 authorization endpoint in Supabase Auth, completing the server-side OAuth flow by adding user authorization and consent management. Building on the ... push 01 Sep 2025 04:56PM UTC web-flow github
68.71
17382355296 cemal/feat-add-oauth-authorize-endpoint fix: use the primary key of oauth_clients for FK Pull #2107 01 Sep 2025 04:02PM UTC cemalkilic github
68.71
17376593411 cemal/feat-add-oauth-authorize-endpoint feat: add `.well-known/oauth-authorization-server` endpoint (#2124) ## What kind of change does this PR introduce? Adding `.well-known/oauth-authorization-server` endpoint per [RFC 8414](https://datatracker.ietf.org/doc/html/rfc8414) Pull #2107 01 Sep 2025 11:50AM UTC cemalkilic github
68.71
17361858204 cs/background-template-reloading-p2 feat: mailer template cache & interface refactor - introduce shared template cache - centralize default subjects/bodies and validate at init - move templating into templatemailer - change mailer.Client.Mail signature to (subject, body, headers, t... Pull #2150 31 Aug 2025 08:23PM UTC Chris Stockton github
70.92
17359661859 cs/feat-makefile-qol chore: replace Makefile dev-deps with per-tool check targets - Remove unused `soda` command - Could not find any reference to this - Remove `dev-deps` target that installed all cmds - Add dedicated check targets: - `check-gosec` installs gose... Pull #2149 31 Aug 2025 04:36PM UTC Chris Stockton github
70.66
17359649920 cs/feat-makefile-qol makefile: replace dev-deps with per-tool check targets - Remove unused `soda` command - Could not find any reference to this - Remove `dev-deps` target that installed all cmds - Add dedicated check targets: - `check-gosec` installs gosec if m... Pull #2149 31 Aug 2025 04:35PM UTC Chris Stockton github
70.66
17310237126 cs/background-template-reloading chore: remove duplicate import due to mailer -> mail alias Pull #2148 28 Aug 2025 11:28PM UTC Chris Stockton github
70.66
17297186832 master chore(master): release 2.179.0 (#2106) :robot: I have created a release *beep* *boop* --- ## [2.179.0](https://github.com/supabase/auth/compare/v2.178.0...v2.179.0) (2025-08-28) ### Features * add oauth2 client support ([#2098](https://githu... push 28 Aug 2025 01:30PM UTC web-flow github
70.66
17294660645 master feat: implement link identity with oidc / native sign in (#2108) Implements linking an OIDC identity to a user. It works by modifying the existing `/token?grant_type=id_token` endpoint by allowing a `link_identity` body parameter. If it's set, t... push 28 Aug 2025 11:45AM UTC web-flow github
70.66
17293758063 hf/link-identity-oidc fix tests Pull #2108 28 Aug 2025 11:05AM UTC hf github
70.66
See All Builds (1079)

Badge your Repo: auth

We detected this repo isn’t badged! Grab the embed code to the right, add it to your repo to show off your code coverage, and when the badge is live hit the refresh button to remove this message.

Could not find badge in README.

Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

Refresh
  • Settings
  • Repo on GitHub
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2025 Coveralls, Inc