Skip to content

feat: add Supabase Auth identifier to OAuth redirect URLs #2299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cemalkilic wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: add Supabase Auth identifier to OAuth redirect URLs #2299

cemalkilic wants to merge 4 commits into from

Conversation

@cemalkilic
Copy link
Contributor

@cemalkilic cemalkilic commented Dec 16, 2025

Summary

Adds a Supabase Auth identifier (sb) to URL fragments in all OAuth redirect responses to help clients distinguish Supabase Auth redirects from third-party OAuth flows.

Problem

auth-js GoTrueClient currently intercepts all URL fragments containing access_token, including those from non-Supabase OAuth providers. This causes unintended logouts and authentication issues when users have other OAuth flows in their applications.

Related issue: supabase/supabase-js#1697

Solution

Added an empty sb parameter to the URL fragment in all redirect responses:

  • Success redirects with tokens (via AsRedirectURL)
  • Error redirects in OAuth callbacks (supabase-js has a __isAuthError, but adding it for error to be fault-tolerant, and non-supabase-sdk cases)
  • Error redirects in verification flows
  • Message redirects in verification flows

Example redirect URL:
https://example.com/callback#access_token=xxx&refresh_token=yyy&expires_in=3600&sb

Clients can now check for the presence of sb in the fragment to confirm the redirect originated from Supabase Auth.

@cemalkilic cemalkilic requested a review from a team as a code owner December 16, 2025 11:12
This was referenced Dec 16, 2025
Merged
Draft
@coveralls
Copy link

coveralls commented Dec 17, 2025
edited
Loading

Pull Request Test Coverage Report for Build 20816155494

Details

  • 6 of 6 (100.0%) changed or added relevant lines in 3 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.009%) to 68.792%
Totals Coverage Status
Change from base Build 20599680500: 0.009%
Covered Lines: 14749
Relevant Lines: 21440
💛 - Coveralls

@bnjmnt4n
Copy link
Contributor

bnjmnt4n commented Dec 17, 2025

Interesting use case. I guess it is uncommon for the same URL to be used as the redirect URL for multiple auth servers in different OAuth flows, which is why this isn’t really described in the spec?

@mandarini
Copy link

mandarini commented Dec 17, 2025
edited
Loading

@cemalkilic the security bot on the supabase-js repo has some interesting takes:
supabase/supabase-js#1959 (comment)

For production security, consider implementing cryptographic validation using a state token or nonce similar to the PKCE flow, which would require coordination with the Auth server implementation (https://github.com/supabase/auth/pull/2299).

I think, the way we have talked about it, is that the sb parameter is for disambiguation. Users requiring extra protection should use flowType: 'pkce'. Adding this sort of validation to implicit flow would be out of scope in this case.

@cemalkilic
Copy link
Contributor Author

cemalkilic commented Dec 29, 2025

I guess it is uncommon for the same URL to be used as the redirect URL for multiple auth servers in different OAuth flows, which is why this isn’t really described in the spec?

@bnjmnt4n, yeah most likely. This change is to support external OAuth integrations where the redirect doesn’t come from Supabase Auth, and to ensure the Supabase SDK doesn’t handle flows it didn’t initiate.

@mandarini exactly, PKCE covers those cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fadymak fadymak fadymak approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@cemalkilic @coveralls @bnjmnt4n @mandarini @fadymak