Skip to content

feat(auth): add OAuth 2.1 client admin endpoints #1240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(auth): add OAuth 2.1 client admin endpoints #1240

wants to merge 7 commits into from

Conversation

@grdsdev
Copy link
Contributor

@grdsdev grdsdev commented Oct 2, 2025
edited
Loading

Summary

Adds OAuth 2.1 client administration endpoints to supabase-auth based on the implementation from supabase-js.

This PR implements a new admin.oauth namespace with full CRUD operations for managing OAuth clients when the OAuth 2.1 server is enabled in Supabase Auth.

Changes

New Types (types.py)

  • OAuthClient - OAuth client object returned from the OAuth 2.1 server
  • OAuthClientResponse - Response type for OAuth client operations
  • OAuthClientListResponse - Response type for listing OAuth clients with pagination
  • CreateOAuthClientParams - Parameters for creating a new OAuth client
  • PageParams and Pagination - Pagination support
  • Type literals for grant types, response types, client types, and registration types

New API Classes

  • AsyncGoTrueAdminOAuthAPI - Async OAuth admin API
  • SyncGoTrueAdminOAuthAPI - Sync OAuth admin API

New Admin Methods (admin.oauth)

  • list_clients(params?: PageParams) - List OAuth clients with optional pagination
  • create_client(params: CreateOAuthClientParams) - Register new OAuth client
  • get_client(client_id: str) - Get client details by ID
  • delete_client(client_id: str) - Remove OAuth client
  • regenerate_client_secret(client_id: str) - Regenerate client secret

Tests

  • Comprehensive test coverage for all OAuth client operations
  • Tests gracefully handle cases where OAuth 2.1 server is not enabled

Implementation Notes

  • Follows existing patterns in the codebase (similar to admin.mfa)
  • Includes proper error handling and type safety
  • All methods require service_role key and should only be called server-side
  • Only relevant when the OAuth 2.1 server is enabled in Supabase Auth

References

Test plan

  • Code passes all existing tests
  • New tests added for OAuth client operations
  • Ruff checks pass
  • Manual testing with OAuth 2.1 enabled server (if available)

🤖 Generated with Claude Code

grdsdev and others added 3 commits October 2, 2025 11:51
@grdsdev @claude
feat(auth): add OAuth 2.1 client admin endpoints
f42ebc0 
Add OAuth 2.1 client administration endpoints to supabase-auth based on
the implementation from supabase-js PR #1582.

This adds a new `admin.oauth` namespace with full CRUD operations for
managing OAuth clients when the OAuth 2.1 server is enabled.

New admin.oauth methods:
- list_clients() - List OAuth clients with pagination
- create_client() - Register new OAuth client
- get_client() - Get client details by ID
- delete_client() - Remove OAuth client
- regenerate_client_secret() - Regenerate client secret

All methods include proper error handling and follow existing patterns
(similar to admin.mfa). These methods are only relevant when the OAuth
2.1 server is enabled in Supabase Auth.

References: supabase/supabase-js#1582

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@grdsdev @claude
fix(auth): handle empty responses and OAuth client list parsing
b48c6ff 
Fix multiple issues with OAuth 2.1 client admin endpoints:
- Add missing return statement in _request method when no xform
- Handle empty responses (204 No Content) from DELETE operations
- Fix list_clients to handle both list and dict response formats
- Handle empty data in delete_client response
- Update test expectations for DELETE operations

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@grdsdev @claude
chore(auth): upgrade GoTrue to v2.180.0 and enable OAuth server
d81c379 
- Upgrade all GoTrue containers from v2.178.0/v2.169.0 to v2.180.0
- Enable OAuth 2.1 server on autoconfirm container for testing
- Add GOTRUE_OAUTH_SERVER_ENABLED and GOTRUE_OAUTH_SERVER_ALLOW_DYNAMIC_REGISTRATION

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@grdsdev grdsdev requested review from o-santi and silentworks October 6, 2025 17:14
grdsdev added a commit to supabase/supabase-flutter that referenced this pull request Oct 6, 2025
@grdsdev @claude
test(gotrue): enable OAuth 2.1 server and fix response parsing
792cb19 
- Update GoTrue from v2.175.0 to v2.180.0
- Enable OAuth server with dynamic registration in test infrastructure
- Fix parsing of optional `aud` field in OAuthClientListResponse
- Handle empty response bodies (204 No Content) for delete operations
- Update delete test to expect null client on successful deletion

All OAuth admin endpoint tests now passing, matching behavior from
supabase/supabase-py#1240

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@grdsdev grdsdev mentioned this pull request Oct 6, 2025
Merged
7 tasks
grdsdev added a commit to supabase/supabase-flutter that referenced this pull request Oct 6, 2025
@grdsdev @claude
feat(gotrue): add OAuth 2.1 client admin endpoints (#1244)
ebc4c20 
* feat(gotrue): add OAuth 2.1 client admin endpoints

Add support for OAuth 2.1 client administration endpoints in the gotrue package. This feature allows server-side management of OAuth clients through the admin API.

New functionality:
- admin.oauth.listClients(): List OAuth clients with pagination
- admin.oauth.createClient(): Register new OAuth client
- admin.oauth.getClient(): Get client details by ID
- admin.oauth.deleteClient(): Remove OAuth client
- admin.oauth.regenerateClientSecret(): Regenerate client secret

Only relevant when OAuth 2.1 server is enabled in Supabase Auth. All methods require service_role key and should only be called server-side.

Ported from: supabase/supabase-js#1582

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* test(gotrue): enable OAuth 2.1 server and fix response parsing

- Update GoTrue from v2.175.0 to v2.180.0
- Enable OAuth server with dynamic registration in test infrastructure
- Fix parsing of optional `aud` field in OAuthClientListResponse
- Handle empty response bodies (204 No Content) for delete operations
- Update delete test to expect null client on successful deletion

All OAuth admin endpoint tests now passing, matching behavior from
supabase/supabase-py#1240

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
@silentworks
Copy link
Contributor

I will review this properly later today and leave any feedback here.

grdsdev
grdsdev commented Oct 29, 2025
View reviewed changes
src/auth/src/supabase_auth/_async/gotrue_admin_api.py
This function should only be called on a server.
Never expose your `service_role` key in the browser.
"""
validate_uuid(client_id)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@o-santi I'm using this uuid validation because it was already what was being used by other methods.

Since this is a new feature, does it make sense for the client_id param to be of type uuid.UUID instead of a raw str? So we don't need to validate it? We do this in Swift, but I don't know about Python.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@o-santi o-santi Awaiting requested review from o-santi

@silentworks silentworks Awaiting requested review from silentworks

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@grdsdev @silentworks