feat(auth): add OAuth 2.1 client admin endpoints #1240
Merged
+928
−62
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
grdsdev
added a commit
to supabase/supabase-flutter
that referenced
this pull request
Oct 6, 2025
- Update GoTrue from v2.175.0 to v2.180.0 - Enable OAuth server with dynamic registration in test infrastructure - Fix parsing of optional `aud` field in OAuthClientListResponse - Handle empty response bodies (204 No Content) for delete operations - Update delete test to expect null client on successful deletion All OAuth admin endpoint tests now passing, matching behavior from supabase/supabase-py#1240 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
7 tasks
grdsdev
added a commit
to supabase/supabase-flutter
that referenced
this pull request
Oct 6, 2025
* feat(gotrue): add OAuth 2.1 client admin endpoints Add support for OAuth 2.1 client administration endpoints in the gotrue package. This feature allows server-side management of OAuth clients through the admin API. New functionality: - admin.oauth.listClients(): List OAuth clients with pagination - admin.oauth.createClient(): Register new OAuth client - admin.oauth.getClient(): Get client details by ID - admin.oauth.deleteClient(): Remove OAuth client - admin.oauth.regenerateClientSecret(): Regenerate client secret Only relevant when OAuth 2.1 server is enabled in Supabase Auth. All methods require service_role key and should only be called server-side. Ported from: supabase/supabase-js#1582 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * test(gotrue): enable OAuth 2.1 server and fix response parsing - Update GoTrue from v2.175.0 to v2.180.0 - Enable OAuth server with dynamic registration in test infrastructure - Fix parsing of optional `aud` field in OAuthClientListResponse - Handle empty response bodies (204 No Content) for delete operations - Update delete test to expect null client on successful deletion All OAuth admin endpoint tests now passing, matching behavior from supabase/supabase-py#1240 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
|
I will review this properly later today and leave any feedback here. |
grdsdev
commented
Oct 29, 2025
| This function should only be called on a server. | ||
| Never expose your `service_role` key in the browser. | ||
| """ | ||
| validate_uuid(client_id) |
There was a problem hiding this comment.
@o-santi I'm using this uuid validation because it was already what was being used by other methods.
Since this is a new feature, does it make sense for the client_id param to be of type uuid.UUID instead of a raw str? So we don't need to validate it? We do this in Swift, but I don't know about Python.
There was a problem hiding this comment.
It should be, I agree with you. But I think for now, we should maintain this behavior for consistency with the other methods, as otherwise the user might need to have some ids in str and others in UUID, which is not really intuitive.
|
@grdsdev can you please merge the |
Add OAuth 2.1 client administration endpoints to supabase-auth based on the implementation from supabase-js PR #1582. This adds a new `admin.oauth` namespace with full CRUD operations for managing OAuth clients when the OAuth 2.1 server is enabled. New admin.oauth methods: - list_clients() - List OAuth clients with pagination - create_client() - Register new OAuth client - get_client() - Get client details by ID - delete_client() - Remove OAuth client - regenerate_client_secret() - Regenerate client secret All methods include proper error handling and follow existing patterns (similar to admin.mfa). These methods are only relevant when the OAuth 2.1 server is enabled in Supabase Auth. References: supabase/supabase-js#1582 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> # Conflicts: # src/auth/src/supabase_auth/_async/gotrue_admin_api.py # src/auth/src/supabase_auth/_sync/gotrue_admin_api.py
Fix multiple issues with OAuth 2.1 client admin endpoints: - Add missing return statement in _request method when no xform - Handle empty responses (204 No Content) from DELETE operations - Fix list_clients to handle both list and dict response formats - Handle empty data in delete_client response - Update test expectations for DELETE operations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Upgrade all GoTrue containers from v2.178.0/v2.169.0 to v2.180.0 - Enable OAuth 2.1 server on autoconfirm container for testing - Add GOTRUE_OAUTH_SERVER_ENABLED and GOTRUE_OAUTH_SERVER_ALLOW_DYNAMIC_REGISTRATION 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
grdsdev
force-pushed
the
feat/auth-oauth-client-admin-endpoints
branch
from
db6d4f6 to
b9cd222
Compare
o-santi
approved these changes
Oct 30, 2025
| This function should only be called on a server. | ||
| Never expose your `service_role` key in the browser. | ||
| """ | ||
| validate_uuid(client_id) |
There was a problem hiding this comment.
It should be, I agree with you. But I think for now, we should maintain this behavior for consistency with the other methods, as otherwise the user might need to have some ids in str and others in UUID, which is not really intuitive.
Comment on lines
+10
to
+94
|
|
||
| class AsyncGoTrueAdminOAuthAPI: | ||
| """ | ||
| Contains all OAuth client administration methods. | ||
| Only relevant when the OAuth 2.1 server is enabled in Supabase Auth. | ||
| """ | ||
|
|
||
| async def list_clients( | ||
| self, | ||
| params: Optional[PageParams] = None, | ||
| ) -> OAuthClientListResponse: | ||
| """ | ||
| Lists all OAuth clients with optional pagination. | ||
| Only relevant when the OAuth 2.1 server is enabled in Supabase Auth. | ||
| This function should only be called on a server. | ||
| Never expose your `service_role` key in the browser. | ||
| """ | ||
| raise NotImplementedError() # pragma: no cover | ||
|
|
||
| async def create_client( | ||
| self, | ||
| params: CreateOAuthClientParams, | ||
| ) -> OAuthClientResponse: | ||
| """ | ||
| Creates a new OAuth client. | ||
| Only relevant when the OAuth 2.1 server is enabled in Supabase Auth. | ||
| This function should only be called on a server. | ||
| Never expose your `service_role` key in the browser. | ||
| """ | ||
| raise NotImplementedError() # pragma: no cover | ||
|
|
||
| async def get_client( | ||
| self, | ||
| client_id: str, | ||
| ) -> OAuthClientResponse: | ||
| """ | ||
| Gets details of a specific OAuth client. | ||
| Only relevant when the OAuth 2.1 server is enabled in Supabase Auth. | ||
| This function should only be called on a server. | ||
| Never expose your `service_role` key in the browser. | ||
| """ | ||
| raise NotImplementedError() # pragma: no cover | ||
|
|
||
| async def update_client( | ||
| self, | ||
| client_id: str, | ||
| params: UpdateOAuthClientParams, | ||
| ) -> OAuthClientResponse: | ||
| """ | ||
| Updates an OAuth client. | ||
| Only relevant when the OAuth 2.1 server is enabled in Supabase Auth. | ||
| This function should only be called on a server. | ||
| Never expose your `service_role` key in the browser. | ||
| """ | ||
| raise NotImplementedError() # pragma: no cover | ||
|
|
||
| async def delete_client( | ||
| self, | ||
| client_id: str, | ||
| ) -> OAuthClientResponse: | ||
| """ | ||
| Deletes an OAuth client. | ||
| Only relevant when the OAuth 2.1 server is enabled in Supabase Auth. | ||
| This function should only be called on a server. | ||
| Never expose your `service_role` key in the browser. | ||
| """ | ||
| raise NotImplementedError() # pragma: no cover | ||
|
|
||
| async def regenerate_client_secret( | ||
| self, | ||
| client_id: str, | ||
| ) -> OAuthClientResponse: | ||
| """ | ||
| Regenerates the secret for an OAuth client. | ||
| Only relevant when the OAuth 2.1 server is enabled in Supabase Auth. | ||
| This function should only be called on a server. | ||
| Never expose your `service_role` key in the browser. | ||
| """ | ||
| raise NotImplementedError() # pragma: no cover |
There was a problem hiding this comment.
I understand this is done to be the same as the other "namespace classes" that already exist in this package, but I believe all of these should hold the actual implementation of the class, instead of having these ugly and confusing placeholders. It can be like this for now, I will refactor this in a later PR.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds OAuth 2.1 client administration endpoints to
supabase-authbased on the implementation from supabase-js.This PR implements a new
admin.oauthnamespace with full CRUD operations for managing OAuth clients when the OAuth 2.1 server is enabled in Supabase Auth.Changes
New Types (
types.py)OAuthClient- OAuth client object returned from the OAuth 2.1 serverOAuthClientResponse- Response type for OAuth client operationsOAuthClientListResponse- Response type for listing OAuth clients with paginationCreateOAuthClientParams- Parameters for creating a new OAuth clientPageParamsandPagination- Pagination supportNew API Classes
AsyncGoTrueAdminOAuthAPI- Async OAuth admin APISyncGoTrueAdminOAuthAPI- Sync OAuth admin APINew Admin Methods (
admin.oauth)list_clients(params?: PageParams)- List OAuth clients with optional paginationcreate_client(params: CreateOAuthClientParams)- Register new OAuth clientupdate_client(client_id: str, params: UpdateOAuthClientParams)- Update an existing OAuth clientget_client(client_id: str)- Get client details by IDdelete_client(client_id: str)- Remove OAuth clientregenerate_client_secret(client_id: str)- Regenerate client secretTests
Implementation Notes
admin.mfa)service_rolekey and should only be called server-sideReferences
Test plan
🤖 Generated with Claude Code