supabase / auth

69%

LAST BUILD ON BRANCH master

branch: master

CHANGE BRANCH

x

Reset

Sync Branches

• master
• add-max-length-check-for-email
• add-phone-number-in-sms-webhook
• bewinxed/add-scim-v2
• bewinxed/webauthn-persist-latest-attestation
• bewinxed/webauthn-support
• bo/docs/readme-code-syntax
• bugfix/bootstrapping
• cemal/add-checksums-to-release-notes
• cemal/audit-log-stdout
• cemal/audit-logs-prevent-only-writing-postgres
• cemal/ci-fix-yaml-syntax-error
• cemal/custom-oidc-cache-discovery
• cemal/enhance-record-login-calls
• cemal/facebook-limited-login-support
• cemal/feat-add-oauth-authorize-endpoint
• cemal/feat-add-oauth-client-type
• cemal/feat-add-oauth-client-update-endpoint
• cemal/feat-add-oauth-consent-list-and-revoke
• cemal/feat-add-oauth-scopes-for-oidc
• cemal/feat-add-oauth-token-endpoint
• cemal/feat-add-oidc-provider-cache
• cemal/feat-add-oidc-support
• cemal/feat-add-regenerate-client-secret
• cemal/feat-add-well-known-oauth-auth-server
• cemal/feat-authorization-ttl-envvar
• cemal/feat-custom-oauth-oidc-providers
• cemal/feat-db-cache-for-custom-oidc-providers
• cemal/feat-enhance-url-check-issuer
• cemal/feat-facebook-limited-login-skip-nonce-check
• cemal/feat-loose-amr-claim-check
• cemal/feat-oauth-client-for-supabase
• cemal/feat-oauth2-return-redirect-url
• cemal/feat-prefix-for-migration-queries
• cemal/feat-redirect-url-v2
• cemal/feat-remove-client-id-column-oauth-clients
• cemal/feat-supabase-auth-identifier-oauth-redirects-auth-919
• cemal/feat-support-multiple-aud
• cemal/feat-update-docker-compose-dev
• cemal/feat-update-oauth-client-list-response
• cemal/feat-update-openapi
• cemal/fix-add-issuer-validator
• cemal/fix-add-missing-param
• cemal/fix-info-log-on-http-server-close
• cemal/fix-makefile
• cemal/fix-migration-version
• cemal/fix-oauth-client-redirect-uri-validation
• cemal/fix-oauth2-referer-check
• cemal/fix-openapi
• cemal/fix-provider-info-signup-audit
• cemal/fix-token-auth-endpoint-method-update
• cemal/oauth-provider-client
• cemal/refactor-token-service
• cemal/revert-reset
• chore-fix-link-to-netlify-gotrue
• chore/harden-runners
• chore/ip-tracking-cleanup
• chore/metric-tags
• chore/testing
• chore/update-workflow-check-commits
• cleanup-ci
• codex/add-passkey-support-to-supabase
• cs/api-db-access
• cs/api-errorcodes-refactor
• cs/auth-sso-resource-id-support
• cs/background-template-reloading
• cs/background-template-reloading-p2
• cs/background-template-reloading-p3
• cs/bug-fix-send-email-hook
• cs/bump-go-1.25.5
• cs/chore-apitask-tests
• cs/chore-gosec-fixes
• cs/conf-coverage
• cs/crypto-generate-otp-tests
• cs/e2e
• cs/e2e-tests-phone-confirm-and-change
• cs/error-code-metrics
• cs/feat-add-after-user-created-hook
• cs/feat-background-workers
• cs/feat-config-reloader
• cs/feat-config-reloads-poller
• cs/feat-email-and-sms-rate-limiting
• cs/feat-mailer-cleanup-p1
• cs/feat-mailer-logging
• cs/feat-makefile-qol
• cs/feat-percentage-based-db-conn-limits
• cs/feat-rate-limiter-persistence
• cs/feat-validate-email-address
• cs/feat-version-metric
• cs/feat-version-metric-errors
• cs/fix-build-system
• cs/fix-rate-limit-zero-value-test
• cs/fix-respect-rate-limit-zero
• cs/hooks-add-metdata
• cs/hooks-content-negotiation-fix
• cs/hooks-errors-fix
• cs/hooks-p1
• cs/hooks-p2
• cs/hooks-p3
• cs/hooks-p4
• cs/hooks-pr5-opt1
• cs/hooks-pr5-opt2
• cs/hooks-refactor-apierrors
• cs/hooks-test-coverage
• cs/invite-fix
• cs/mailer-refactor-p1
• cs/master-fix-missing-error-propagation
• cs/maxconn-fix-1
• cs/migrations-fix-for-add-mfa
• cs/rate-limit-otp-clarity
• cs/rate-limit-refactor
• cs/reduce-artifact-sizes
• cs/reload-coverage
• cs/reloader-allow-invalid-config-dir
• cs/reloader-unittest-race-fix
• cs/remove-template-prefetch
• cs/revert-1974
• cs/template-cache-warmup
• cs/update-email-validation
• cs/update-godotenv
• cs/v1hooks
• da/fix-release
• dependabot/go_modules/github.com/consensys/gnark-crypto-0.18.1
• dependabot/go_modules/github.com/ethereum/go-ethereum-1.16.8
• dependabot/go_modules/github.com/getkin/kin-openapi-0.131.0
• dependabot/go_modules/github.com/go-chi/chi/v5-5.2.2
• dependabot/go_modules/github.com/go-jose/go-jose/v3-3.0.4
• dependabot/go_modules/github.com/golang-jwt/jwt/v4-4.5.1
• dependabot/go_modules/github.com/golang-jwt/jwt/v4-4.5.2
• dependabot/go_modules/github.com/golang-jwt/jwt/v5-5.2.2
• dependabot/go_modules/github.com/rs/cors-1.11.0
• dependabot/go_modules/go_modules-03c8d65c28
• dependabot/go_modules/go_modules-c0992384b1
• dependabot/go_modules/golang.org/x/crypto-0.31.0
• dependabot/go_modules/golang.org/x/net-0.23.0
• dependabot/go_modules/golang.org/x/net-0.36.0
• dependabot/go_modules/golang.org/x/net-0.38.0
• dependabot/go_modules/golang.org/x/oauth2-0.27.0
• depthfirst_effd66245bd981ba5a07aa6b7441ad37578f9b73_c9fe0adfec1c4c0e63a2388cdc8d50a6
• development
• docs-1710-verify-type-options
• docs-anon-login-configs
• docs/documentation-cleanup
• docs/remove-unused-env-var
• esinx-naver-provider
• etienne/cors-allowed-origins
• feat-slack-oauth-v2
• feat/add-email-metrics
• feat/client-ip-forwarding
• feat/comma-separated-header-keys
• feat/cursor-mcp-oauth-support
• feat/min-jwt
• feat/mx-blocklist
• feat/solana-ledger
• feat/token-endpoint-auth-method-enforcement
• feat_docker_compose_and_go
• feature/snapchat-oauth
• figma-auth
• fix--oauth-redirect-parsing
• fix-binary-name
• fix-contributing-md
• fix-magiclink-requiredchars
• fix/firebase-scrypt-base64-encoding
• fix/oauth-token-endpoint-auth-method
• fix/update-sanitize-signup
• fix/valid-methods-parsing
• fix_contributing_typo
• fm/add-darwin-arm64-build-target
• fm/auth-969-state-param
• fm/auth-982
• fm/fix-flaky-idx-worker-test
• fm/fix-go-sec-errors
• fm/gosec-fixes
• fm/index-worker-threshold-config
• hf/aao-in-send-email
• hf/add-audit-log-disable-postgres
• hf/add-authorized-email-addresses
• hf/add-azure-ciam
• hf/add-exhaustive
• hf/add-headers-to-issue-refresh-token
• hf/add-magic-link-disable-toggle
• hf/add-max-idle-time
• hf/add-one-time-tokens
• hf/add-support-for-argon2
• hf/adjust-required-claims-in-auth-hooks
• hf/artifact-bucket
• hf/azure-overage-include-api-version
• hf/bump-saml-0-5-1
• hf/captcha-parsing-fix
• hf/change-s3-role
• hf/chore-fix-gha-perms
• hf/chore-release-as-2-165-2
• hf/ci-alpine-3
• hf/ci-dogofooding-checks-on-release
• hf/ci-fast-release-tarball
• hf/ci-fix-binary-version-docker
• hf/ci-fix-coverage-metering
• hf/ci-fix-dogfooding
• hf/ci-fix-dogfooding-take-2
• hf/clean-up-master
• hf/cover-crypto-100
• hf/db-advisor
• hf/email-less-accounts-with-oauth
• hf/email-rate-limiting-new-config
• hf/encrypt-sensitive-columns
• hf/encrypted-password-pointer
• hf/experimental-provider-linking-domains
• hf/external-host-validation
• hf/fail-empty-address
• hf/fallback-to-jwt-secret-if-unknown-kid
• hf/feat-bump-new-version
• hf/feat-embedded-migrations
• hf/fix-apple-oidc-issuer-change
• hf/fix-argon2
• hf/fix-authenticate-empty-string
• hf/fix-azure-large-groups
• hf/fix-claim-overages-json-azure
• hf/fix-coveralls-image
• hf/fix-custom-sms-twilio-verify
• hf/fix-expose-x-supabase-api-version-header-in-cors
• hf/fix-gosec-siwe
• hf/fix-id-token-permission
• hf/fix-idempotent-logout
• hf/fix-identity-email-verified
• hf/fix-invalid-url-thing
• hf/fix-local-dockerfile
• hf/fix-mail-headers
• hf/fix-mfa-config-backward-compatibility
• hf/fix-mfa-verify-rt-v2
• hf/fix-new-oidc-provider-apple
• hf/fix-redirect-empty-hostname
• hf/fix-redirect-ip-address
• hf/fix-secret-api-key-ignore-aud-claim
• hf/fix-session-upgrade-percentage
• hf/fix-solana-localhost
• hf/fix-strip-version
• hf/fix-supafast
• hf/fix-timeout-writer
• hf/fix-write-header
• hf/fix-write-header-deadlock
• hf/gomft
• hf/hook-log
• hf/inline-mailme
• hf/limit-low-aal-sessions
• hf/link-identity-oidc
• hf/log-json-error-response
• hf/mail-headers
• hf/merge-metadata
• hf/mfa-rt-2-counter-2
• hf/more-fix-rt-2
• hf/move-email-sms-send-out-of-update-user-transaction
• hf/new-rt
• hf/openid-configuration
• hf/phase-ii-ott
• hf/redirect-url-fragment
• hf/remove-data-migrations
• hf/revert-azure-claim-overages
• hf/saml-array-values
• hf/saml-encrypted-assertions
• hf/saml-specific-external-url
• hf/separate-web3-rate-limits-from-other-token
• hf/skip-apple-issuer-check-oidc
• hf/snap
• hf/split-words-audit-log
• hf/supafast-tarball
• hf/support-apple-transfer-sub
• hf/test-release
• hf/try-to-run-release-please-again
• hf/ubuntu-latest
• hf/upgrade-refresh-tokens-v2
• hf/upload-artifacts-to-s3
• hf/use-redirect-url
• hf/vercel-global-user-id
• hf/x-sb-error-code
• iat/align-notifications-defaults
• iat/async-index-creation
• iat/auth-840-phone-number-changed-notification
• iat/auth-841-identity-linked-notifications
• iat/auth-842-email-send-hooks-for-notifications
• iat/auth-906-auth-trgm
• iat/auth-916-remove-text-pattern-ops-idx
• iat/auth-954-remove-trgm-ext
• iat/bump-go-version-docker
• iat/email-changed-notification
• iat/idx-worker-structured-logging
• iat/mfa-enrollment-notifications
• iat/password-changed-notification
• iat/remove-create-extension-pg-trgm
• iat/x-provider
• j0/accurately_affect_max_frequency_limit
• j0/add_additional_info_around_mime_type_error
• j0/add_context_to_load_factor
• j0/add_custom_email_sender_hook
• j0/add_has_factor_claim
• j0/add_hook_trigger_logic
• j0/add_last_challenged_at
• j0/add_mfa_phone_openapi_spec
• j0/add_mfa_sms
• j0/add_scrypt_password_hash
• j0/add_timeout_middleware
• j0/add_token_for_non_secure_email_change
• j0/add_twilio_verify_support_for_mfa_phone
• j0/add_webauthn
• j0/add_webauthn_config
• j0/adjust_mfa_status_codes
• j0/allow_kong_and_edge_functions
• j0/allow_only_one_phone_factor
• j0/allow_postgres_and_http_on_extensibility_point
• j0/backport_auth_namespace_to_enums
• j0/change_mfa_error_code
• j0/check_for_phone_identity_on_phone_chang
• j0/custom_email_hook
• j0/deprecate_mfa_enabled_config
• j0/drop_uniqueness_constraint_on_mfa_phone
• j0/fido2_authenticator_challenge_verify_model
• j0/fix_email_change_with_phone_auth
• j0/fix_migration_idempotent_phone_cnfig
• j0/fix_rc_duplicate_identifier
• j0/fixes_while_testing
• j0/forbid_access_token_issuance_without_session
• j0/hide_hook_name
• j0/merge_aal_and_amr_update
• j0/mfa_refactor_load_factor
• j0/minor_speling_error
• j0/move_totp_mfa_to_dedicated_fn
• j0/move_verification_into_mailer_package
• j0/patch_secure_email_change
• j0/phone_mfa_refactors
• j0/prevent_panic_on_email_change
• j0/publish_to_ghcr
• j0/refactor_generate_access_token
• j0/refactor_generate_access_token_to_accept_request
• j0/remove_deprecated_code
• j0/remove_find_factors_by_user
• j0/remove_find_session_by_id
• j0/remove_set_cookie_tokens
• j0/remove_totp_field_for_phone_response
• j0/rename_to_send_sms
• j0/require_appropriate_aal_for_pw_update
• j0/return_factor_type_in_challenge
• j0/send_over_user_in_send_sms_hook
• j0/update_auth_functions
• j0/update_error_code_id_token
• j0/update_hook_schema
• j0/update_mfa_error_message
• j0/update_openapi_schema
• j0/update_openapi_spec
• j0/update_phone_admin_methods
• j0/upgrade-contrib-docs
• j0/upgrade_go_version
• j0/upgrade_otel_deps
• j0/validate_send_email
• j0/webauthn_fixes
• janek/signup-identities-email-verified
• km/add-error-codes
• km/add-error-codes-password-login
• km/add-ip-based-limits
• km/add-saml-tests
• km/alter-auth-uid
• km/bump-alpine-go
• km/check-empty-aud
• km/chore-remove-unused-hook-outputs
• km/cleanup-anonymous-users
• km/feat-asymmetric-jwt-support
• km/fix-admin-update-user
• km/fix-amr-mfa
• km/fix-anonymous-user-linking
• km/fix-attribute-mapping
• km/fix-auth-hook-error
• km/fix-auth-hooks
• km/fix-authorized-emails
• km/fix-authorized-middleware-check
• km/fix-cleanup-logging
• km/fix-context-cancellation
• km/fix-custom-sms-hook-config
• km/fix-email-verified
• km/fix-enable-rls
• km/fix-external-state
• km/fix-figma
• km/fix-ignore-rate-limits-for-autoconfirm
• km/fix-improve-session-error
• km/fix-jwt
• km/fix-linkedin-oidc-issuer
• km/fix-logging
• km/fix-mailer-config
• km/fix-max-password-length-error
• km/fix-mfa-factors-index
• km/fix-panic-logout
• km/fix-panic-refresh-token
• km/fix-pkce-verify-post
• km/fix-rate-limit-log-level
• km/fix-return-error-code
• km/fix-saml-assertion
• km/fix-search-path
• km/fix-serve
• km/fix-shared-limiter
• km/fix-signup-generate-link
• km/fix-signup-verify
• km/fix-timeout-write-header
• km/fix-update-attribute-mapping
• km/fix-update-phone
• km/fix-update-user
• km/fix-update-user-email
• km/fix-update-user-phone-change
• km/fix-use-factor-id
• km/format-test-otps
• km/hotfix-jwt-aud
• km/improve-logging
• km/improve-mfa-verify-logs
• km/improve-saml-logging
• km/improve-token-oidc-logging
• km/inactivity-session-bug
• km/normalise-emails
• km/phase-iii-ott
• km/redirect-invalid-state
• km/ref-retrieve-request-params
• km/remove-unused-args
• km/return-identity
• km/return-session-not-found-error
• km/update-admin-create-user
• km/update-chi-version
• km/update-ci
• km/update-error-message
• km/update-golang-jwt
• km/update-mailme
• km/update-oapi
• km/v2.157.1
• line-oidc
• oidc-iss-checks
• omerhochman/fix-linkedin-iodc-error
• optional_2fa
• or/bearer_ci
• or/fallback-on-btree-when-hash-unavailable
• or/query_reduction
• or/test-twitter-oauth
• patch-1
• push-wnvwkqmwrrtk
• refs/tags/rc2.170.0-rc.10
• refs/tags/v2.186.0
• refs/tags/v2.187.0
• release-please--branches--cs/test-release-please
• release-please--branches--master
• release/2.165.0
• remove-instance-id-queries
• remove-redundant-method-hookuri-param
• revert-1534-omerhochman/fix-linkedin-iodc-error
• revert-1616-km/alter-auth-uid
• revert-1812-hf/artifact-bucket
• revert-1856-or/fallback-on-btree-when-hash-unavailable
• revert-1858-revert-1856-or/fallback-on-btree-when-hash-unavailable
• revert-2239-iat/async-index-creation
• sam/packaged-auth
• scim
• sec-601-password-change-function
• simplify-request-tracing-middleware-setup-logic
• single-source-of-truth-for-waitforcleanup
• siwe-implementation
• snyk-fix-0720ecd3bfe1e766e52214a3bbab15f5
• timkendrick/fix-saml-client-entity-id
• update-docker-container-name
• update-md-for-resend-endpont
• upgrade-github-actions-node24
• upgrade-github-actions-node24-general
• vercel-marketplace-oidc

Build # 22579487526

Build Type

push

github

Committed by web-flow

Commit Message

feat: cache OIDC discovery documents for providers (#2389)

## Summary
- Add `OIDCProviderCache` with TTL-based expiry, singleflight dedup, and
invalidation support
- Wire cache through all OIDC-based providers (Apple, Azure, Google,
LinkedIn OIDC, Vercel Marketplace, custom OIDC) and the ID token grant
flow
- Make TTL configurable via `GOTRUE_EXTERNAL_OIDC_PROVIDER_CACHE_TTL`
(default: `1h`)


This caches the `oidc.Provider` structs, which avoids re-fetching the
OIDC discovery document (`.well-known/openid-configuration`) on every
request. JWKS caching is handled separately by the `go-oidc` library, it
lazy-loads the key set on the first `Verify` call and manages its own
cache internally.

  ## Test plan
- [x] Unit tests for cache hit/miss, TTL expiry, singleflight dedup,
invalidation, clear, multiple issuers, error handling
- [ ] Verify with live OIDC providers (Apple, Google, custom oidc
providers etc.)

Run Details

100 of 186 new or added lines in 13 files covered. (53.76%)

3 existing lines in 1 file now uncovered.

15805 of 22992 relevant lines covered (68.74%)

78.26 hits per line