Skip to content

feat(gotrue): add OAuth 2.1 client admin endpoints #1244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 6, 2025
Merged

feat(gotrue): add OAuth 2.1 client admin endpoints #1244

merged 2 commits into from
Oct 6, 2025
+476 −2

Conversation

grdsdev
Copy link
Contributor

@grdsdev grdsdev commented Oct 2, 2025
edited
Loading

Summary

This PR adds OAuth 2.1 client administration endpoints to the gotrue package, porting the feature from supabase-js#1582 and supabase-py#1240.

The new admin.oauth namespace provides comprehensive OAuth client management capabilities for server-side use with service role keys.

Changes

New API Methods

  • admin.oauth.listClients() - List all OAuth clients with optional pagination
  • admin.oauth.createClient() - Register a new OAuth client
  • admin.oauth.getClient() - Get client details by ID
  • admin.oauth.deleteClient() - Remove an OAuth client
  • admin.oauth.regenerateClientSecret() - Regenerate client secret

New Types

  • OAuthClientGrantType - Grant types enum (authorization_code, refresh_token)
  • OAuthClientResponseType - Response types enum (code)
  • OAuthClientType - Client type enum (public, confidential)
  • OAuthClientRegistrationType - Registration type enum (dynamic, manual)
  • OAuthClient - OAuth client model
  • CreateOAuthClientParams - Parameters for creating OAuth clients
  • OAuthClientResponse - Response wrapper for single client operations
  • OAuthClientListResponse - Response wrapper for list operations

Implementation Details

  • Added GoTrueAdminOAuthApi class following the pattern of GoTrueAdminMFAApi
  • All methods require service_role key and should only be called server-side
  • Proper UUID validation for client IDs
  • Handles optional fields (aud in list response)
  • Handles empty response bodies (204 No Content for delete operations)
  • Comprehensive test coverage matching Python implementation

Test Infrastructure Updates

  • Updated GoTrue test image from v2.175.0 to v2.180.0
  • Enabled OAuth 2.1 server in test environment:
    • GOTRUE_OAUTH_SERVER_ENABLED: 'true'
    • GOTRUE_OAUTH_SERVER_ALLOW_DYNAMIC_REGISTRATION: 'true'

Usage Example

// Create a new OAuth client
final params = CreateOAuthClientParams(
  clientName: 'My Application',
  redirectUris: ['https://myapp.com/callback'],
  clientUri: 'https://myapp.com',
  scope: 'openid profile email',
);

final response = await supabase.auth.admin.oauth.createClient(params);
final clientId = response.client?.clientId;
final clientSecret = response.client?.clientSecret;

// List all OAuth clients
final clients = await supabase.auth.admin.oauth.listClients();

// Get client by ID
final client = await supabase.auth.admin.oauth.getClient(clientId);

// Regenerate client secret
final updated = await supabase.auth.admin.oauth.regenerateClientSecret(clientId);

// Delete client
await supabase.auth.admin.oauth.deleteClient(clientId);

Notes

  • Only relevant when the OAuth 2.1 server is enabled in Supabase Auth
  • All methods must be called with service_role key
  • Never expose service_role key in client-side code

Test Plan

  • Added comprehensive unit tests for all OAuth admin methods
  • Tests cover create, list, get, delete, and regenerate operations
  • Input validation tests for UUID parameters
  • All 8 tests passing with OAuth 2.1 enabled GoTrue instance
  • Test behavior matches Python implementation from supabase-py#1240
  • Code passes dart analyze with no issues
  • Code formatted with dart format

Related

🤖 Generated with Claude Code

@grdsdev @claude
feat(gotrue): add OAuth 2.1 client admin endpoints
278e7f9 
Add support for OAuth 2.1 client administration endpoints in the gotrue package. This feature allows server-side management of OAuth clients through the admin API.

New functionality:
- admin.oauth.listClients(): List OAuth clients with pagination
- admin.oauth.createClient(): Register new OAuth client
- admin.oauth.getClient(): Get client details by ID
- admin.oauth.deleteClient(): Remove OAuth client
- admin.oauth.regenerateClientSecret(): Regenerate client secret

Only relevant when OAuth 2.1 server is enabled in Supabase Auth. All methods require service_role key and should only be called server-side.

Ported from: supabase/supabase-js#1582

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@grdsdev @claude
test(gotrue): enable OAuth 2.1 server and fix response parsing
792cb19 
- Update GoTrue from v2.175.0 to v2.180.0
- Enable OAuth server with dynamic registration in test infrastructure
- Fix parsing of optional `aud` field in OAuthClientListResponse
- Handle empty response bodies (204 No Content) for delete operations
- Update delete test to expect null client on successful deletion

All OAuth admin endpoint tests now passing, matching behavior from
supabase/supabase-py#1240

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@coveralls
Copy link

Pull Request Test Coverage Report for Build 18289613337

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 91 of 95 (95.79%) changed or added relevant lines in 4 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.4%) to 80.885%
Changes Missing Coverage Covered Lines Changed/Added Lines %
packages/gotrue/lib/src/gotrue_admin_oauth_api.dart 47 49 95.92%
packages/gotrue/lib/src/types/types.dart 36 38 94.74%
Totals Coverage Status
Change from base Build 18159276591: 0.4%
Covered Lines: 3237
Relevant Lines: 4002
💛 - Coveralls

@grdsdev grdsdev merged commit ebc4c20 into main Oct 6, 2025
16 checks passed
@grdsdev grdsdev deleted the feat/oauth-admin-endpoints branch October 6, 2025 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Vinzent03 Vinzent03 Vinzent03 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@grdsdev @coveralls @Vinzent03