feat: implement OAuth2 authorization endpoint #2107
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cemalkilic
commented
Aug 7, 2025
Pull Request Test Coverage Report for Build 17382355296Details
💛 - Coveralls |
cemalkilic
commented
Aug 7, 2025
hf
approved these changes
Aug 7, 2025
cemalkilic
force-pushed
the
cemal/feat-add-oauth-authorize-endpoint
branch
from
18a0614 to
4e9d9ee
Compare
as we’re using the existing database enum, and it’s defined with `s256` and `plain`
`resource` param is being used in MCP auth to indicate which MCP server is being accessed we can provide the configuration of valid resources in the future. for now the plan is just to store during `/authorize` and validate if the same resource is being requested in the `/token` call
## What kind of change does this PR introduce? Adding `.well-known/oauth-authorization-server` endpoint per [RFC 8414](https://datatracker.ietf.org/doc/html/rfc8414)
cemalkilic
force-pushed
the
cemal/feat-add-oauth-authorize-endpoint
branch
from
4e9d9ee to
1a313d8
Compare
cemalkilic
pushed a commit
that referenced
this pull request
Sep 23, 2025
🤖 I have created a release *beep* *boop* --- ## [2.180.0](v2.179.0...v2.180.0) (2025-09-23) ### Features * add OAuth client type ([#2152](#2152)) ([b118f1f](b118f1f)) * add phone to sms webhook payload ([#2160](#2160)) ([d475ac1](d475ac1)) * background template reloading p1 - baseline decomposition ([#2148](#2148)) ([746c937](746c937)) * config reloading with fsnotify, poller fallback, and signals ([#2161](#2161)) ([c77d512](c77d512)) * enhance issuer URL validation in OAuth server metadata ([#2164](#2164)) ([a9424d2](a9424d2)) * implement OAuth2 authorization endpoint ([#2107](#2107)) ([5318552](5318552)) * **oauth2:** add `/oauth/token` endpoint ([#2159](#2159)) ([a89a0b0](a89a0b0)) * **oauth2:** add admin endpoint to regenerate OAuth client secrets ([#2170](#2170)) ([0bd1c28](0bd1c28)) * **oauth2:** return redirect_uri on GET authorization ([#2175](#2175)) ([b0a0c3e](b0a0c3e)) * **oauth2:** use `id` field as the public client_id ([#2154](#2154)) ([86b7de4](86b7de4)) * **openapi:** add OAuth 2.1 server endpoints and clarify OAuth modes ([#2165](#2165)) ([1f804a2](1f804a2)) * password changed email notification ([#2176](#2176)) ([fe0fd04](fe0fd04)) * support `transfer_sub` in apple id tokens ([#2162](#2162)) ([8a71006](8a71006)) ### Bug Fixes * ensure request context exists in API db operations ([#2171](#2171)) ([060a992](060a992)) * **makefile:** remove invalid @ symbol from shell commands ([#2168](#2168)) ([e6afe45](e6afe45)) * **oauth2:** switch to Origin header for request validation ([#2174](#2174)) ([42bc9ab](42bc9ab)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
issuedat
pushed a commit
that referenced
this pull request
Sep 30, 2025
# Summary This PR implements the OAuth 2.1 authorization endpoint in Supabase Auth, completing the server-side OAuth flow by adding user authorization and consent management. Building on the OAuth client registration foundation (#2098), this enables Supabase Auth to function as an OAuth 2.1 authorization server. # Features Added ## Authorization Flow Endpoints - **Authorization Initiation** (`GET /oauth/authorize`) - Initiates OAuth 2.1 authorization code flow with PKCE support and redirects user to (for now) pre-configured url - **Authorization Details** (`GET /oauth/authorizations/{authorization_id}`) - Retrieves authorization request details for consent UI - **Consent Processing** (`POST /oauth/authorizations/{authorization_id}/consent`) - Handles user consent decisions (approve/deny) ## Authorization Management - **PKCE Enforcement** - Mandatory PKCE (RFC 7636) with S256/Plain support for OAuth 2.1 compliance - **User Consent Tracking** - Persistent consent storage with scope-based auto-approval for trusted clients - **State Management** - Complete authorization lifecycle management (pending → approved/denied/expired) - **Security Controls** - Authorization expiration, redirect URI validation # Technical Implementation ## Database Schema - New `oauth_authorizations` table for authorization requests with status tracking - New `oauth_consents` table for persistent user consent management - Enhanced enums for authorization status and response types - Comprehensive indexing for performance and cleanup operations ## Code Organization - Extended `internal/api/oauthserver` package with authorization flow handlers - New models: `OAuthServerAuthorization`, `OAuthServerConsent`, and scope utilities - Shared PKCE utilities extracted to `internal/models/pkce.go` for reuse - Context utilities moved to `internal/api/shared` to avoid circular dependencies # Future Work - **Integration Tests** - Add comprehensive integration tests for authorization flow handlers - **Audit Logging** - Enhanced audit logging for authorization decisions and consent management - **Scope Enforcement** - Currently scope handling provides future extensibility without active enforcement/utilization
issuedat
pushed a commit
that referenced
this pull request
Sep 30, 2025
🤖 I have created a release *beep* *boop* --- ## [2.180.0](v2.179.0...v2.180.0) (2025-09-23) ### Features * add OAuth client type ([#2152](#2152)) ([b118f1f](b118f1f)) * add phone to sms webhook payload ([#2160](#2160)) ([d475ac1](d475ac1)) * background template reloading p1 - baseline decomposition ([#2148](#2148)) ([746c937](746c937)) * config reloading with fsnotify, poller fallback, and signals ([#2161](#2161)) ([c77d512](c77d512)) * enhance issuer URL validation in OAuth server metadata ([#2164](#2164)) ([a9424d2](a9424d2)) * implement OAuth2 authorization endpoint ([#2107](#2107)) ([5318552](5318552)) * **oauth2:** add `/oauth/token` endpoint ([#2159](#2159)) ([a89a0b0](a89a0b0)) * **oauth2:** add admin endpoint to regenerate OAuth client secrets ([#2170](#2170)) ([0bd1c28](0bd1c28)) * **oauth2:** return redirect_uri on GET authorization ([#2175](#2175)) ([b0a0c3e](b0a0c3e)) * **oauth2:** use `id` field as the public client_id ([#2154](#2154)) ([86b7de4](86b7de4)) * **openapi:** add OAuth 2.1 server endpoints and clarify OAuth modes ([#2165](#2165)) ([1f804a2](1f804a2)) * password changed email notification ([#2176](#2176)) ([fe0fd04](fe0fd04)) * support `transfer_sub` in apple id tokens ([#2162](#2162)) ([8a71006](8a71006)) ### Bug Fixes * ensure request context exists in API db operations ([#2171](#2171)) ([060a992](060a992)) * **makefile:** remove invalid @ symbol from shell commands ([#2168](#2168)) ([e6afe45](e6afe45)) * **oauth2:** switch to Origin header for request validation ([#2174](#2174)) ([42bc9ab](42bc9ab)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements the OAuth 2.1 authorization endpoint in Supabase Auth, completing the server-side OAuth flow by adding user authorization and consent management. Building on the OAuth client registration foundation (#2098), this enables Supabase Auth to function as an OAuth 2.1 authorization server.
Features Added
Authorization Flow Endpoints
GET /oauth/authorize) - Initiates OAuth 2.1 authorization code flow with PKCE support and redirects user to (for now) pre-configured urlGET /oauth/authorizations/{authorization_id}) - Retrieves authorization request details for consent UIPOST /oauth/authorizations/{authorization_id}/consent) - Handles user consent decisions (approve/deny)Authorization Management
Technical Implementation
Database Schema
oauth_authorizationstable for authorization requests with status trackingoauth_consentstable for persistent user consent managementCode Organization
internal/api/oauthserverpackage with authorization flow handlersOAuthServerAuthorization,OAuthServerConsent, and scope utilitiesinternal/models/pkce.gofor reuseinternal/api/sharedto avoid circular dependenciesFuture Work