Support for Telegram OIDC: Unsupported elliptic curve secp256k1 in JWKS

[llefort001]

Describe the bug

When attempting to use the new Telegram OIDC / Custom OAuth provider, the authentication flow fails during the token exchange or profile retrieval phase. The error returned by Supabase Auth is: Error getting user profile from external provider.

After investigation, it appears that Telegram's OIDC implementation uses the secp256k1 elliptic curve for its signing keys (JWKS), which seems to be unsupported by the underlying Go libraries used in the Auth server (likely go-jose).

To Reproduce

1. Set up a Custom OAuth provider in Supabase Dashboard using Telegram's OIDC endpoints:
   • URL: https://oauth.telegram.org/auth
   • Token URL: https://oauth.telegram.org/token
2. Trigger the login flow from the client.
3. Complete the Telegram authorization.
4. On the redirect to /auth/callback, the process fails with an unexpected_failure or server_error.

Expected behavior

Supabase Auth should be able to parse and validate the ID Token signed with the secp256k1 curve provided in Telegram's JWKS (https://oauth.telegram.org/jwks).

Technical Context

Telegram's JWKS (https://oauth.telegram.org/jwks) contains keys with the following parameters:

• kty: EC
• crv: secp256k1

The error logs indicate that the curve is not recognized or supported, preventing the validation of the identity token.

Additional context

Telegram recently introduced this OIDC flow for bots. Many developers are moving towards this standard, but it seems that the secp256k1 curve (commonly used in blockchain but less common in standard OIDC) is creating a bottleneck for Supabase users.

[mrigangha]

I am working on this issue..

[llefort001]

Thanks, do you have any ETA or temporary bypass ? This recent change makes the telegram OIDC unusable in my app.