Github Access Token Invalid

[xdega]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When using the GitHub OAuth Provider, I am unable to make valid API requests to GitHub with the access_token contained in session data that is returned. Login is successful, but using the access_token returns a 401, with "Bad Credentials" from GitHub. I can confirm that using the same access_token in a raw CURL request outside of my app returns the same error.

To Reproduce

1. Create a SvelteKit project
2. Create a GitHub Application (OAuth 2.0)
3. Add Supabase Auth, with GitHub Provider
4. Add login to app with the following code:

  async function signInWithGitHub() {
    const { error } = await supabase.auth.signInWithOAuth({
      provider: "github",
      options: {
        scopes: "repo"
      }
    });
    // ...

5. Log in to app
6. Retrieve the access token like so:

    supabase.auth.onAuthStateChange((event, session) => {
      // TODO: Temp for dev purposes
      console.log("Session: ", session);
    });

7. Attempted to use the access_token included in the session object as a bearer token in auth header, via cURL request to eliminate other variables. And hit any REST endpoint in the GitHub API
8. See that this token fails.

Expected behavior

Should successfully access the GitHub API

System information

• OS: OSX
• Version of supabase-js: "@supabase/supabase-js": "^2.39.3"
• Bun Runtime

Additional context

Have been blocked on this for at least 2 weeks now.

[J0]

Hey!

Could you try using the provider_token in the session response instead? The access_token is typically used for authenticating against Supabase Auth while the provider token might be more relevant when access oauth provider related endpoints.

Going to close for now but feel free to re-open if the issue persists