Skip to content

feat(auth): add OAuth 2.1 authorization consent management API calls #1793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 29, 2025
Merged

feat(auth): add OAuth 2.1 authorization consent management API calls #1793

merged 1 commit into from
Oct 29, 2025

Conversation

@cemalkilic
Copy link
Contributor

@cemalkilic cemalkilic commented Oct 21, 2025

Summary

Adds user-facing OAuth authorization methods to @supabase/auth-js for building consent pages when Supabase Auth acts as an OAuth 2.1 authorization server.

Implements the consent flow where users approve/deny OAuth client authorization requests.

New API

Namespace: auth.oauth.*

Three new methods for managing OAuth authorization consent:

// Get authorization details (client info, scopes, user)
const { data, error } = await supabase.auth.oauth.getAuthorizationDetails(
  authorizationId,
  { skipBrowserRedirect?: boolean }
)

// Approve authorization request
const { data, error } = await supabase.auth.oauth.approveAuthorization(
  authorizationId,
  { skipBrowserRedirect?: boolean }
)

// Deny authorization request
const { data, error } = await supabase.auth.oauth.denyAuthorization(
  authorizationId,
  { skipBrowserRedirect?: boolean }
)

Use Case

Enables developers to build custom OAuth consent pages for their Supabase projects when acting as an OAuth 2.1 authorization server. Example flow:

  1. User is redirected to consent page with authorization_id in URL
  2. App calls getAuthorizationDetails(authorizationId) to fetch client and scope info
  3. User reviews and clicks "Approve" or "Deny"
  4. App calls approveAuthorization() or denyAuthorization()
  5. SDK auto-redirects back to OAuth client with authorization code/error

What's NOT Included

Third-party OAuth client integration (calling /oauth/authorize and /oauth/token from external apps) is intentionally not included in this PR.

Rationale:

  • Standard OAuth 2.1 client libraries already handle this well
  • Would require full OAuth client lifecycle (refresh tokens, expiration, storage)
  • Better served by documentation + existing OAuth libraries
  • This PR focuses on the unique Supabase-specific consent management API, utilizing the existing Supabase session

Third-party integration will be addressed through comprehensive documentation showing how to use standard OAuth client libraries with Supabase Auth endpoints.

Breaking Changes

None. This is a purely additive change with zero breaking changes to existing APIs

@cemalkilic cemalkilic requested review from a team as code owners October 21, 2025 07:24
@github-actions github-actions bot added the auth-js Related to the auth-js library. label Oct 21, 2025
@coveralls
Copy link

coveralls commented Oct 21, 2025

Coverage Status

coverage: 95.455% (-0.5%) from 95.986%
when pulling 0d7a77a on cemal/feat-auth-add-oauth-endpoints
into c5ad2f4 on master.

issuedat
issuedat approved these changes Oct 23, 2025
View reviewed changes
@mandarini mandarini enabled auto-merge (squash) October 29, 2025 09:31
@mandarini mandarini merged commit 255d8dd into master Oct 29, 2025
37 of 38 checks passed
@mandarini mandarini deleted the cemal/feat-auth-add-oauth-endpoints branch October 29, 2025 09:32
@cemalkilic cemalkilic mentioned this pull request Oct 29, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@issuedat issuedat issuedat approved these changes

@mandarini mandarini mandarini approved these changes

Assignees

No one assigned

Labels

auth-js Related to the auth-js library.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@cemalkilic @coveralls @mandarini @issuedat