supabase / auth / 19453720722 / 1
69%
master: 69%

DEFAULT BRANCH: master
Ran
Files 168
Run time 6s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 68.358% (-0.04%) from 68.402%
19453720722.1

push

github

web-flow 
feat(oauthserver): add OpenID Connect support (#2250)

## Summary

Adds OpenID Connect (OIDC) support to Supabase Auth's OAuth 2.1 server.
This implementation generates ID tokens for OAuth authorization code
flows and provides the required OIDC discovery and `UserInfo` endpoints.

## Changes

  ### 1. ID Token Generation
  - Added `IDTokenClaims` struct with OIDC standard claims
  - Implemented `GenerateIDToken()` function that creates JWT ID tokens
  - ID tokens include:
- Standard claims: `sub`, `iss`, `aud`, `exp`, `iat`, `auth_time`,
`nonce`
- Profile claims: `email`, `email_verified`, `phone_number`,
`phone_number_verified`, `name`, `picture`, `preferred_username`,
`updated_at`
  - ID tokens expire in 1 hour
  - Updated `AccessTokenResponse` to include `id_token` field

  ### 2. Nonce Parameter Support
- Added `nonce` field to authorization flow for replay attack prevention
  - Captured from authorization request query parameter
  - Stored in `oauth_authorizations` table
  - Included in ID token claims per OIDC spec

  ### 3. Unified Discovery Endpoint
- Enhanced `/.well-known/openid-configuration` with complete OIDC
metadata
- Merged OAuth Authorization Server Metadata (RFC 8414) with OIDC
Discovery
  - Both endpoints now use the same unified handler:
    - `GET /.well-known/openid-configuration` (OIDC Discovery)
    - `GET /.well-known/oauth-authorization-server` (RFC 8414)
- Response includes: supported algorithms, grant types, response types,
claims, PKCE methods

  ### 4. UserInfo Endpoint
  - Implemented `GET /oauth/userinfo` per OIDC Core Section 5.3
- Protected by Bearer token authentication via `requireAuthentication`
middleware
  - Returns complete user profile including:
    - Mandatory `sub` claim (user ID)
    - User metadata, app metadata, identities, factors, timestamps

  ### 5. Database Migration
  - Adds `nonce` column to `oauth_authorizations` table (nullable text)
  - Includes check constraint limiting nonce to 255 characters
... (continued)

14351 of 20994 relevant lines covered (68.36%)

77.73 hits per line

Source Files on job 19453720722.1