Merge pull request #1051 from supabase-community/oidc-linkidentity

jan-tennert · web-flow · commit 1c7d3843f67d · 2025-09-17T22:45:17.000+02:00
Add support for linkIdentity with OIDC
diff --git a/Auth/src/commonMain/kotlin/io/github/jan/supabase/auth/Auth.kt b/Auth/src/commonMain/kotlin/io/github/jan/supabase/auth/Auth.kt
@@ -11,8 +11,10 @@ import io.github.jan.supabase.auth.mfa.MfaApi
 import io.github.jan.supabase.auth.providers.AuthProvider
 import io.github.jan.supabase.auth.providers.ExternalAuthConfigDefaults
 import io.github.jan.supabase.auth.providers.Google
+import io.github.jan.supabase.auth.providers.IDTokenProvider
 import io.github.jan.supabase.auth.providers.OAuthProvider
 import io.github.jan.supabase.auth.providers.builtin.Email
+import io.github.jan.supabase.auth.providers.builtin.IDToken
 import io.github.jan.supabase.auth.providers.builtin.Phone
 import io.github.jan.supabase.auth.providers.builtin.SSO
 import io.github.jan.supabase.auth.status.SessionSource
@@ -164,7 +166,13 @@ interface Auth : MainPlugin<AuthConfig>, CustomSerializationPlugin {
     /**
      * Links an OAuth Identity to an existing user.
      *
-     * This methods works similar to signing in with OAuth providers. Refer to the [documentation](https://supabase.com/docs/reference/kotlin/initializing) to learn how to handle OAuth and OTP links.
+     * Example:
+     * ```kotlin
+     * val url = supabase.auth.linkIdentity(Google)
+     * // Open the url in the browser, but this will happen automatically if [ExternalAuthConfigDefaults.automaticallyOpenUrl] is true (which it is by default)
+     * ```
+     *
+     * This method works similar to signing in with OAuth providers. Refer to the [documentation](https://supabase.com/docs/reference/kotlin/initializing) to learn how to handle OAuth and OTP links.
      * @param provider The OAuth provider
      * @param redirectUrl The redirect url to use. If you don't specify this, the platform specific will be used, like deeplinks on android.
      * @param config Extra configuration
@@ -179,6 +187,30 @@ interface Auth : MainPlugin<AuthConfig>, CustomSerializationPlugin {
         config: ExternalAuthConfigDefaults.() -> Unit = {}
     ): String?
 
+    /**
+     * Links an identity to the current user using an ID token.
+     *
+     * Example:
+     * ```kotlin
+     * supabase.auth.linkIdentityWithIdToken(provider = Google, idToken = "idToken") {
+     *     // Optional nonce
+     *     nonce = "nonce"
+     * }
+     * ```
+     *
+     * @param provider One of the [IDTokenProvider] providers.
+     * @param idToken The ID token to use
+     * @param config Extra configuration
+     * @throws RestException or one of its subclasses if receiving an error response. If the error response contains a error code, an [AuthRestException] will be thrown which can be used to easier identify the problem.
+     * @throws HttpRequestTimeoutException if the request timed out
+     * @throws HttpRequestException on network related issues
+     */
+    suspend fun linkIdentityWithIdToken(
+        provider: IDTokenProvider,
+        idToken: String,
+        config: (IDToken.Config).() -> Unit = {}
+    )
+
     /**
      * Unlinks an OAuth Identity from an existing user.
      * @param identityId The id of the OAuth identity
diff --git a/Auth/src/commonMain/kotlin/io/github/jan/supabase/auth/AuthImpl.kt b/Auth/src/commonMain/kotlin/io/github/jan/supabase/auth/AuthImpl.kt
@@ -13,7 +13,9 @@ import io.github.jan.supabase.auth.mfa.MfaApi
 import io.github.jan.supabase.auth.mfa.MfaApiImpl
 import io.github.jan.supabase.auth.providers.AuthProvider
 import io.github.jan.supabase.auth.providers.ExternalAuthConfigDefaults
+import io.github.jan.supabase.auth.providers.IDTokenProvider
 import io.github.jan.supabase.auth.providers.OAuthProvider
+import io.github.jan.supabase.auth.providers.builtin.IDToken
 import io.github.jan.supabase.auth.providers.builtin.OTP
 import io.github.jan.supabase.auth.providers.builtin.SSO
 import io.github.jan.supabase.auth.status.RefreshFailureCause
@@ -185,6 +187,16 @@ internal class AuthImpl(
         return null
     }
 
+    override suspend fun linkIdentityWithIdToken(
+        provider: IDTokenProvider,
+        idToken: String,
+        config: (IDToken.Config) -> Unit
+    ) {
+        val body = IDToken.Config(idToken = idToken, provider = provider, linkIdentity = true).apply(config)
+        val result = api.postJson("token?grant_type=id_token", body)
+        importSession(result.safeBody(), source = SessionSource.UserIdentitiesChanged(result.safeBody()))
+    }
+
     override suspend fun unlinkIdentity(identityId: String, updateLocalUser: Boolean) {
         api.delete("user/identities/$identityId")
         if (updateLocalUser) {
diff --git a/Auth/src/commonMain/kotlin/io/github/jan/supabase/auth/providers/builtin/IDToken.kt b/Auth/src/commonMain/kotlin/io/github/jan/supabase/auth/providers/builtin/IDToken.kt
@@ -1,5 +1,6 @@
 package io.github.jan.supabase.auth.providers.builtin
 
+import io.github.jan.supabase.annotations.SupabaseInternal
 import io.github.jan.supabase.auth.providers.Apple
 import io.github.jan.supabase.auth.providers.Azure
 import io.github.jan.supabase.auth.providers.Facebook
@@ -39,7 +40,8 @@ data object IDToken : DefaultAuthProvider<IDToken.Config, UserInfo> {
         @SerialName("id_token") var idToken: String = "",
         var provider: IDTokenProvider? = null,
         @SerialName("access_token") var accessToken: String? = null,
-        var nonce: String? = null
+        var nonce: String? = null,
+        @property:SupabaseInternal var linkIdentity: Boolean = false
     ) : DefaultAuthProvider.Config()
 
     @OptIn(ExperimentalSerializationApi::class)
diff --git a/Auth/src/commonTest/kotlin/AuthApiTest.kt b/Auth/src/commonTest/kotlin/AuthApiTest.kt
@@ -385,6 +385,37 @@ class AuthRequestTest {
         }
     }
 
+    @Test
+    fun testLinkIdentityWithIdToken() {
+        runTest {
+            val expectedProvider = Google
+            val expectedIdToken = "idToken"
+            val expectedAccessToken = "accessToken"
+            val expectedNonce = "nonce"
+            val client = createMockedSupabaseClient(configuration = configuration) {
+                val body = it.body.toJsonElement().jsonObject
+                val params = it.url.parameters
+                assertMethodIs(HttpMethod.Post, it.method)
+                assertPathIs("/token", it.url.pathAfterVersion())
+                assertEquals("id_token", params["grant_type"])
+                assertEquals(expectedIdToken, body["id_token"]?.jsonPrimitive?.content)
+                assertEquals(expectedProvider.name, body["provider"]?.jsonPrimitive?.content)
+                assertEquals(expectedAccessToken, body["access_token"]?.jsonPrimitive?.content)
+                assertEquals(expectedNonce, body["nonce"]?.jsonPrimitive?.content)
+                // ensure we signal linking
+                assertEquals("true", body["linkIdentity"]?.jsonPrimitive?.content)
+                respondJson(
+                    sampleUserSession()
+                )
+            }
+            client.auth.linkIdentityWithIdToken(expectedProvider, expectedIdToken) {
+                accessToken = expectedAccessToken
+                nonce = expectedNonce
+            }
+            assertNotNull(client.auth.currentSessionOrNull(), "Session should not be null")
+        }
+    }
+
     @Test
     fun testUnlinkIdentity() {
         runTest {
