Custom OAuth providers

[LoriKarikari]

Hi,

Is it possible to add custom OAuth providers if you want to use one that isn't built-in yet?

[kiwicopple]

Hey @LoriKarikari - do you mean another provider like "Twitter", "Facebook" etc? We're working on these now. Are there any providers in particular that you're looking for?

[baptisteArno]

As soon as I get the access token and refresh token from the provider, how can I create a user? @kiwicopple
(I'll post a complete guide on how to authenticate with a custom provider as soon as I get this right 👍)

const userInfo = await spotifyApi.getMe();
const user = {
    aud: "authenticated",
    exp: 1615824388,
    sub: userInfo.body.id,
    email: userInfo.body.email,
    app_metadata: {
      provider: "spotify",
      access_token: data.body["access_token"],
      refresh_token: data.body["refresh_token"],
    },
    user_metadata: {},
    role: "authenticated",
};

// INSERT IN auth.users

[liaujianjie]

@baptisteArno Seems like Spotify OAuth might be landing soon: supabase/auth#245

[marc-on-github]

Have you found a solution?

[blechatellier]

@kiwicopple is there any workaround you might recommend for now to byo an oAuth provider. Any API in GoTrue we can use or would it work to handle the custom provider callbacks with edge functions and write straight to the auth table?

[xiakunhou]

@baptisteArno Have you found a solution to create user for customized auth provider?

[SealOfTime]

I am curious about the same question.

There are dozens of different oAuth providers, that may be local to certain countries or enterprise spheres: Sber, VKontakte (aka Facebook-competitor) and Yandex (aka Google-competitor) in Russia to begin with.

I can't see even the immensely active community of Supabase to implement all of them into the default distributipn. So the question arises, is there a possibility we would be able to define our own providers in a friendly UI, or at least as a some sort of a config?
Moreover, there are different authentication protocols specific to certain applications like LDAP for internal corporative systems, that my be desired by potential customers.

Would appreciate, if you would consider either giving the administrator ability to add custom oAuth providers or at least adding a chapter to the documentation about implementing custom authentication service and integrating that with Supabase's authorization.

Looking forward to your response!

[humphd]

@gracew just wanted to say 'thank-you' for this post, it was exactly what I needed. We're using it to implement our custom auth. You're a hero!

[Aldo111]

Thanks for sharing the guide, Grace! I was curious what might be the appropriate way to insert that data into auth.users (or is it not a good idea to do that with custom auth providers/jwts). I ultimately want to make sure all my registered users are in one place in the auth side of the database.

[OliverRhyme]

How can we handle token refresh with this?

[olee]

Same question: How to generate the correct refresh tokens this way?

[xiakunhou]

@gracew So in your solution, the auth tables would contain no user info(for example, the user_id would not be genreated), while only depends on the customized jwt playload to do RLS in posrgresql?

[halfong]

Consider make auth support for Wechat.

[kchojhu]

@gracew You are awesome! Looks like that is a great way to integrate with any authentication layer. I hope supabase would have official support for custom auth (maybe that can be done with functions)

[magick93]

Please consider Keycloak!

[fangmarks]

Pretty sure Keycloak got support in the latest Launchweek!

[fangmarks]

Yup

https://supabase.com/docs/guides/auth/auth-keycloak

[modyabhi]

Implement openID 2.0 for steam web authentication

[blanklob]

Can you please add Shopify ?

[kris]

Instagram, TikTok, Pinterest support? I'd love if we could get some sort of documentation on how to add custom providers.

[sambowenhughes]

+1 for Tiktok

[n0rmanc]

+1 for Tiktok

[augusteo]

+1 for Tiktok

[bhkangw]

Anotherrrrr +1 for Tiktok pls!

[pateljoel]

+1 for these OAuth login options, thanks @kris for mentioning this.

@kiwicopple these networks combined have a total 4.282 BILLION monthly active users, this would be massive for supabase to support these OAuth login options and will increase adoption of builders using supabase and more users using the apps on your platform.

Please consider TikTok, Instagram and Pinterest login.

[Jonevs]

Atlassian, please. Needed it for my Jira Integration App

[imjamesb]

Please add Vipps authentication. https://vipps.no

This is a Norwegian payment service.

[taujin]

Looking to integrate LINE oauth. Used pretty much all of Taiwan/Japan. Will there be a way to add OAUTH2 providers not on the list?

[Antiokh]

I'll upvote. So few plugins supporting this very popular Asian network.

[snak2e-tech]

Agreed. LINE is also used in a lot of Southeast Asia too. If you counted by the numbers... it probably is just as popular as telegram. Probably more so.

[sailorbob134280]

Interested in using Authentik for a self-hosted solution. Not sure if this is possible yet

[japarmedi]

I think SAML 2.0 integration is possible with Authentik and Supabase

[bigbizze]

would love an integration with quick books online https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/oauth-2.0

[hxtnv]

Vk and Steam support would be awesome

[AdamBuchweitz]

+1 for Steam

[Herklos]

Could you please add Binance? https://developers.binance.com/docs/login/introduction

[sandervspl]

I would love to see a provider for Battle.net!

https://develop.battle.net/documentation/guides/using-oauth

[libratiger]

looks for this too

[rohanliston]

It would be great for a generic OAuth2/OIDC adapter to be prioritised, as it would provide support for countless authentication providers rather than having to wait for specific providers to be added one-by-one. Is this on the roadmap?

[j-o-sh]

Even further: This would enable us to use custom pseudo auth providers in development on localhost. Switching users in a multi-user app, while developing on localhost is currently a real pain and could be so much more elegant if we could just implement our own custom pseudo auth provider.

something like:
config.toml

[auth.external.custom.foobar]
enabled = true
client_id = "123"
secret = "donttellanyone"
redirect_uri = "http://localhost:54321/auth/v1/callback"
url = "http://localhost:9999"

[dtinth]

I found a hacky solution: Use Keycloak as authentication provider (which is based on OAuth 2.0) and create a custom API that imitates Keycloak’s API paths and behavior (there are only 3 endpoints to implement). More details in this comment: https://github.com/orgs/supabase/discussions/6547#discussioncomment-9049664

[rickylabs]

Any news on this ? Much anticipated feature for our company !

[starantini]

Hey guys,
anyone know if when calling this sign in with Id method, are the providers the same as the oAuth provider method. I've tried calling this method with provider set to slack. This method doesn't seem to recognize slack.

const { data, error } = await supabase.auth.signInWithIdToken({ provider: 'google', token: 'your-id-token' })

Error in browser: AuthApiError: Custom OIDC provider "" not allowed

I've confirmed that my id token is correct using jwt.io, is this a case that the list of providers for this method is not the same as the oAuth providers? Any work arounds? I can't use setSession method because I'm not able to get a refresh token and access token, so this was my work around to that.

Appreciate any ideas here as I've been grinding away at this for days trying to include as many providers as possible.

[StolteX]

I have the same error message with github...

[WanChengCheng]

Any updates on this?

[hxtnv]

To all those still coming here, I wouldn't hope for much - I emailed support back in march of this year and they said it is "unlikely" that more individual providers will be added. Here's the full response:

[all-mute]

+1 for Yandex and VK

[markadrake]

One of the things that attracted us to Supabase was the promise to make authentication easy(er). While we would still benefit today by moving to Supabase, we cannot because Supabase does not include our "social providers." This includes Xbox, Playstation, and Nintendo.

I kindly request new documentation to cover "bringing your own" authentication provider.

Thanks for your hard work and excellent product,

[lewinskimaciej]

I found this thread and also wanted to chime in, that we assumed this is possible with Supabase, only to find out it's not. We have our partners with their own OAuth2 identity solutions, branded and customized so we cannot bring their users into our platform easily because we can't integrate with them. This seems like an incredibly basic and required feature to have at this point.

[dtinth]

Possible workaround for now, until Supabase implements support for generic OAuth2/OIDC provider: https://github.com/orgs/supabase/discussions/6547#discussioncomment-9049664

[lewinskimaciej]

Hey, yeah I saw this and I like the idea. The only issue is that you can have only one provider of each type right? This limits us on partners we can work with because we'll only be able to create one keycloak provider.

[dtinth]

In this case maybe you can install Keycloak and use it as an identity broker instead of Supabase.

[lewinskimaciej]

Yeah I'm considering this, we're actually just keen on dropping Supabase entirely in favor of something like Ory that doesn't make that an issue, as our use case might require us to add multiple custom oauth providers in the future to our login solution.

[blechatellier]

Looks like they will start working on this in September, so probably a good 6 months away. I’ve been looking at alternatives and Auth0 also supports custom providers but would rather keep everything in supabase.

…

On Fri, 31 May 2024 at 7:11 PM, Maciej Lewiński ***@***.***> wrote: Yeah I'm considering this, we're actually just keen on dropping Supabase entirely in favor of something like Ory that doesn't make that an issue, as our use case might require us to add multiple custom oauth providers in the future to our login solution. — Reply to this email directly, view it on GitHub <#417 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADK3DXVIMU4S455SOI5PKDZFA5EZAVCNFSM4VCHFC62U5DIOJSWCZC7NNSXTOKENFZWG5LTONUW63SDN5WW2ZLOOQ5TSNRRGYYDMOI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[RobbyUitbeijerse]

Hey @blechatellier, any chance you could link the information regarding starting this feature in September? We're contemplating on moving away from Supabase, but if the waiting time is ~5-6 months, we might just not do that - depending on what's in store.

@J0 - would love to hear your input - is this in the works? And will we be able to eg register different providers with the same provider type? the solution is currently quite limited, but Supabase offers us what we want in terms of experience - so we would rather stay :)

[blechatellier]

@RobbyUitbeijerse second hand information from a convo I had on Twitter https://x.com/stojaaan/status/1795421822114005163?s=46&t=zIzrZmJzfRoF4kjsueapFA

[RobbyUitbeijerse]

Thanks @blechatellier! Let's see...

[RobbyUitbeijerse]

@hf Hello there! Is this still planned in to be started in Sept?

[japarmedi]

I think you guys need to build your own Identification Provider and integrate it with Supabase through SAML 2.0 integration

[C5G6M7]

Hi all,

If supabase wanted to add this feature as simple solution would be to add a migration script that adds a "Provider" table to the auth schema in the database, then update the auth/internal/api/external.go function which currently looks like this:

`
func (a *API) Provider(ctx context.Context, name string, scopes string) (provider.Provider, error) {
config := a.config
name = strings.ToLower(name)

switch name {
case "apple":
	return provider.NewAppleProvider(ctx, config.External.Apple)
case "azure":
	return provider.NewAzureProvider(config.External.Azure, scopes)
case "bitbucket":
	return provider.NewBitbucketProvider(config.External.Bitbucket)
case "discord":
	return provider.NewDiscordProvider(config.External.Discord, scopes)
case "facebook":
	return provider.NewFacebookProvider(config.External.Facebook, scopes)
case "figma":
	return provider.NewFigmaProvider(config.External.Figma, scopes)
case "fly":
	return provider.NewFlyProvider(config.External.Fly, scopes)
case "github":
	return provider.NewGithubProvider(config.External.Github, scopes)
case "gitlab":
	return provider.NewGitlabProvider(config.External.Gitlab, scopes)
case "google":
	return provider.NewGoogleProvider(ctx, config.External.Google, scopes)
case "kakao":
	return provider.NewKakaoProvider(config.External.Kakao, scopes)
case "keycloak":
	return provider.NewKeycloakProvider(config.External.Keycloak, scopes)
case "linkedin":
	return provider.NewLinkedinProvider(config.External.Linkedin, scopes)
case "linkedin_oidc":
	return provider.NewLinkedinOIDCProvider(config.External.LinkedinOIDC, scopes)
case "notion":
	return provider.NewNotionProvider(config.External.Notion)
case "spotify":
	return provider.NewSpotifyProvider(config.External.Spotify, scopes)
case "slack":
	return provider.NewSlackProvider(config.External.Slack, scopes)
case "slack_oidc":
	return provider.NewSlackOIDCProvider(config.External.SlackOIDC, scopes)
case "twitch":
	return provider.NewTwitchProvider(config.External.Twitch, scopes)
case "twitter":
	return provider.NewTwitterProvider(config.External.Twitter, scopes)
case "workos":
	return provider.NewWorkOSProvider(config.External.WorkOS)
case "zoom":
	return provider.NewZoomProvider(config.External.Zoom)
default:
	return nil, fmt.Errorf("Provider %s could not be found", name)
}

}`

and change the default case at the end to call a method that checks for the existence of a custom provider in the database and return that as a new provider object if it exists.