feat(oauth2): add /oauth/token endpoint (#2159)

## Summary
This PR completes the OAuth2 server implementation by adding the
`/token` endpoint, enabling full OAuth2 authorization code flow &
refresh token support.

## Key Features Added:
### OAuth Token Endpoint (POST /oauth/token) supporting:
- `authorization_code` grant type for exchanging authorization codes for
access
- refresh_token grant type for token refresh
- Both JSON and form-encoded request bodies
- OAuth Client authentication via Basic auth or request body parameters
(form params and JSON body)

### Token Service Integration:
- Integrated OAuth server with the existing token service
- Added OAuth-specific authentication method
(`oauth_provider/authorization_code`)
- Enhanced token generation to include OAuth client context in JWT
claims.

## Database Changes:
- Added `oauth_client_id` field to `sessions` table for OAuth client
tracking. So an OAuth clients can use a refresh token only if the
session is issued for them. Similarly, a session issued to a client can
only be refreshed by that client (i.e user can't use
`/token?grant_type=refresh_token` endpoint with a refresh token obtained
through `/oauth/token` endpoint.)

## Next Steps
- Adding ratelimit for the `/token` endpoint
- Store token auth method for oauth clients in the database

Author: cemalkilic

internal/api/api.go

@@ -93,11 +93,6 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 		version: version,
 	}
 
-	// Only initialize OAuth server if enabled
-	if globalConfig.OAuthServer.Enabled {
-		api.oauthServer = oauthserver.NewServer(globalConfig, db)
-	}
-
 	for _, o := range opt {
 		o.apply(api)
 	}
@@ -123,6 +118,11 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 	// Connect token service to API's time function (supports test overrides)
 	api.tokenService.SetTimeFunc(api.Now)
 
+	// Initialize OAuth server (only if enabled)
+	if globalConfig.OAuthServer.Enabled {
+		api.oauthServer = oauthserver.NewServer(globalConfig, db, api.tokenService)
+	}
+
 	if api.config.Password.HIBP.Enabled {
 		httpClient := &http.Client{
 			// all HIBP API requests should finish quickly to avoid
@@ -237,7 +237,7 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 			With(api.verifyCaptcha).Post("/otp", api.Otp)
 
 		// rate limiting applied in handler
-		r.With(api.verifyCaptcha).With(api.oauthClientAuth).Post("/token", api.Token)
+		r.With(api.verifyCaptcha).Post("/token", api.Token)
 
 		r.With(api.limitHandler(api.limiterOpts.Verify)).Route("/verify", func(r *router) {
 			r.Get("/", api.Verify)
@@ -359,6 +359,9 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 				r.With(api.limitHandler(api.limiterOpts.OAuthClientRegister)).
 					Post("/clients/register", api.oauthServer.OAuthServerClientDynamicRegister)
 
+				// OAuth Token endpoint (public, with client authentication)
+				r.With(api.requireOAuthClientAuth).Post("/token", api.oauthServer.OAuthToken)
+
 				// OAuth 2.1 Authorization endpoints
 				// `/authorize` to initiate OAuth2 authorization code flow where Supabase Auth is the OAuth2 provider
 				r.Get("/authorize", api.oauthServer.OAuthServerAuthorize)

internal/api/middleware.go

@@ -17,6 +17,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/supabase/auth/internal/api/apierrors"
 	"github.com/supabase/auth/internal/api/oauthserver"
+	"github.com/supabase/auth/internal/api/shared"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/observability"
 	"github.com/supabase/auth/internal/security"
@@ -84,9 +85,9 @@ func (a *API) limitHandler(lmt *limiter.Limiter) middlewareHandler {
 	}
 }
 
-// oauthClientAuth optionally authenticates an OAuth client as middleware
-// This doesn't fail if no client credentials are provided, but validates them if present
-func (a *API) oauthClientAuth(w http.ResponseWriter, r *http.Request) (context.Context, error) {
+// requireOAuthClientAuth authenticates an OAuth client as middleware
+// Requires client_id to be present and validates client credentials
+func (a *API) requireOAuthClientAuth(w http.ResponseWriter, r *http.Request) (context.Context, error) {
 	ctx := r.Context()
 
 	clientID, clientSecret, err := oauthserver.ExtractClientCredentials(r)
@@ -121,7 +122,7 @@ func (a *API) oauthClientAuth(w http.ResponseWriter, r *http.Request) (context.C
 	}
 
 	// Add authenticated client to context
-	ctx = oauthserver.WithOAuthServerClient(ctx, client)
+	ctx = shared.WithOAuthServerClient(ctx, client)
 	return ctx, nil
 }
 

internal/api/oauthserver/auth.go

@@ -1,14 +1,17 @@
 package oauthserver
 
 import (
+	"bytes"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
+	"io"
 	"net/http"
 	"strings"
 )
 
 // ExtractClientCredentials extracts OAuth client credentials from the request
-// Supports both Basic auth header and form body parameters
+// Supports Basic auth header, form body parameters, and JSON body parameters
 func ExtractClientCredentials(r *http.Request) (clientID, clientSecret string, err error) {
 	// First, try Basic auth header: Authorization: Basic base64(client_id:client_secret)
 	authHeader := r.Header.Get("Authorization")
@@ -28,23 +31,38 @@ func ExtractClientCredentials(r *http.Request) (clientID, clientSecret string, e
 		return parts[0], parts[1], nil
 	}
 
-	// Fall back to form parameters
-	if err := r.ParseForm(); err != nil {
-		return "", "", errors.New("failed to parse form")
-	}
+	// Check Content-Type to determine how to parse body parameters
+	contentType := r.Header.Get("Content-Type")
+	if strings.Contains(contentType, "application/json") {
+		// Parse JSON body
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			return "", "", errors.New("failed to read request body")
+		}
+		// Restore the body so other handlers can read it
+		r.Body = io.NopCloser(bytes.NewBuffer(body))
 
-	clientID = r.FormValue("client_id")
-	clientSecret = r.FormValue("client_secret")
+		var jsonData struct {
+			ClientID     string `json:"client_id"`
+			ClientSecret string `json:"client_secret"`
+		}
+		if err := json.Unmarshal(body, &jsonData); err != nil {
+			return "", "", errors.New("failed to parse JSON body")
+		}
+
+		clientID = jsonData.ClientID
+		clientSecret = jsonData.ClientSecret
+	} else {
+		// Fall back to form parameters
+		if err := r.ParseForm(); err != nil {
+			return "", "", errors.New("failed to parse form")
+		}
 
-	// Return empty credentials if both are empty (no client auth attempted)
-	if clientID == "" && clientSecret == "" {
-		return "", "", nil
+		clientID = r.FormValue("client_id")
+		clientSecret = r.FormValue("client_secret")
 	}
 
-	// For public clients, only client_id is required (client_secret should be empty)
-	// For confidential clients, both client_id and client_secret are required
-	// We'll validate this based on the client type in the calling handler
-	// TODO(cemal) :: this will be validated in detail during the `/token` endpoint implementation
+	// return error if client_id is not provided
 	if clientID == "" {
 		return "", "", errors.New("client_id is required")
 	}