feat(auth): implement linkIdentity with OIDC (#776)

* feat(auth): implement linkIdentity with OIDC

- Add linkIdentityWithIdToken method to AuthClient
- Refactor signInWithIdToken to support identity linking
- Add linkIdentity property to OpenIDConnectCredentials
- Improve code formatting consistency

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* test(auth): record snapshots

* test: add snapshot test for linkIdentityWithIdToken method

* add link identity with oidc example

* refactor: simplify linkIdentityWithIdToken implementation

- Remove private _signInWithIdToken helper method
- Inline the implementation directly in linkIdentityWithIdToken
- Update test to include Authorization header in expected request
- Add session storage setup for linkIdentityWithIdToken test

* test: add event assertions to testLinkIdentityWithIdToken

- Add event monitoring to verify userUpdated event is triggered
- Assert correct event sequence: [.initialSession, .userUpdated]
- Verify session state is properly updated
- Follow consistent testing pattern with other auth tests

* refactor: add convenience methods for auth event assertions

- Add assertAuthStateChanges convenience methods to reduce code duplication
- Support both action-based and post-action event assertion patterns
- Refactor testSignOut, testSignInAnonymously, and testLinkIdentityWithIdToken to use new methods
- Improve test readability and maintainability
- Reduce boilerplate code in auth state change tests

* refactor: simplify assertAuthStateChanges by using expectedEvents.count

- Remove expectedEventCount parameter from convenience methods
- Use expectedEvents.count to determine number of events to collect
- Reduces API surface and eliminates redundant parameter
- Makes the methods more intuitive and less error-prone

* refactor: improve testLinkIdentityWithIdToken and assertAuthStateChanges

- Refactor testLinkIdentityWithIdToken to use action-based assertAuthStateChanges
- Add proper error location tracking with fileID, filePath, line, and column parameters
- Remove unused post-action assertAuthStateChanges method
- Improve test structure by combining action execution with event assertion
- Fix indentation in commented testGenerateLink_signUp test

* refactor: improve linkIdentityWithIdToken implementation

- Replace _signIn helper with direct api.execute call
- Add explicit session manager update after successful API call
- Add explicit eventEmitter.emit(.userUpdated) for proper event handling
- Ensure consistent behavior with other identity linking methods
- Improve code clarity by removing unnecessary abstraction layer

---------

Co-authored-by: Claude <[email protected]>

Author: grdsdev

Examples/Examples.xcodeproj/project.pbxproj

@@ -815,7 +815,6 @@
 				SUPPORTS_MACCATALYST = NO;
 				SWIFT_ACTIVE_COMPILATION_CONDITIONS = "DEBUG $(inherited)";
 				SWIFT_EMIT_LOC_STRINGS = YES;
-				SWIFT_VERSION = 5.0;
 				TARGETED_DEVICE_FAMILY = "1,2,7";
 			};
 			name = Debug;
@@ -855,7 +854,6 @@
 				SUPPORTED_PLATFORMS = "iphoneos iphonesimulator macosx xros xrsimulator";
 				SUPPORTS_MACCATALYST = NO;
 				SWIFT_EMIT_LOC_STRINGS = YES;
-				SWIFT_VERSION = 5.0;
 				TARGETED_DEVICE_FAMILY = "1,2,7";
 			};
 			name = Release;
@@ -896,7 +894,6 @@
 				SUPPORTED_PLATFORMS = "iphoneos iphonesimulator macosx";
 				SWIFT_ACTIVE_COMPILATION_CONDITIONS = "DEBUG $(inherited)";
 				SWIFT_EMIT_LOC_STRINGS = YES;
-				SWIFT_VERSION = 5.0;
 				TARGETED_DEVICE_FAMILY = "1,2";
 			};
 			name = Debug;
@@ -936,7 +933,6 @@
 				SDKROOT = auto;
 				SUPPORTED_PLATFORMS = "iphoneos iphonesimulator macosx";
 				SWIFT_EMIT_LOC_STRINGS = YES;
-				SWIFT_VERSION = 5.0;
 				TARGETED_DEVICE_FAMILY = "1,2";
 			};
 			name = Release;

Examples/Examples/Examples.entitlements

@@ -2,6 +2,10 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>com.apple.developer.applesignin</key>
+	<array>
+		<string>Default</string>
+	</array>
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
 	<key>com.apple.security.files.user-selected.read-only</key>

Examples/Examples/Profile/UserIdentityList.swift

@@ -5,6 +5,7 @@
 //  Created by Guilherme Souza on 22/03/24.
 //
 
+import AuthenticationServices
 import Supabase
 import SwiftUI
 
@@ -62,7 +63,11 @@ struct UserIdentityList: View {
               Button(provider.rawValue) {
                 Task {
                   do {
-                    try await supabase.auth.linkIdentity(provider: provider)
+                    if provider == .apple {
+                      try await linkAppleIdentity()
+                    } else {
+                      try await supabase.auth.linkIdentity(provider: provider)
+                    }
                   } catch {
                     self.error = error
                   }
@@ -74,8 +79,67 @@ struct UserIdentityList: View {
       }
     #endif
   }
+
+  private func linkAppleIdentity() async throws {
+    let provider = ASAuthorizationAppleIDProvider()
+    let request = provider.createRequest()
+    request.requestedScopes = [.email, .fullName]
+
+    let controller = ASAuthorizationController(authorizationRequests: [request])
+    let authorization = try await controller.performRequests()
+
+    guard let credential = authorization.credential as? ASAuthorizationAppleIDCredential else {
+      debug("Invalid credential")
+      return
+    }
+
+    guard
+      let identityToken = credential.identityToken.flatMap({ String(data: $0, encoding: .utf8) })
+    else {
+      debug("Invalid identity token")
+      return
+    }
+
+    try await supabase.auth.linkIdentityWithIdToken(
+      credentials: OpenIDConnectCredentials(
+        provider: .apple,
+        idToken: identityToken
+      )
+    )
+  }
 }
 
 #Preview {
   UserIdentityList()
 }
+
+extension ASAuthorizationController {
+  @MainActor
+  func performRequests() async throws -> ASAuthorization {
+    let delegate = _Delegate()
+    self.delegate = delegate
+    return try await withCheckedThrowingContinuation { continuation in
+      delegate.continuation = continuation
+
+      self.performRequests()
+    }
+  }
+
+  private final class _Delegate: NSObject, ASAuthorizationControllerDelegate {
+    var continuation: CheckedContinuation<ASAuthorization, any Error>?
+
+    func authorizationController(
+      controller: ASAuthorizationController,
+      didCompleteWithAuthorization authorization: ASAuthorization
+    ) {
+      continuation?.resume(returning: authorization)
+    }
+
+    func authorizationController(
+      controller: ASAuthorizationController,
+      didCompleteWithError error: any Error
+    ) {
+      continuation?.resume(throwing: error)
+    }
+  }
+}

Sources/Auth/AuthClient.swift

@@ -578,7 +578,8 @@ public actor AuthClient {
 
     if codeVerifier == nil {
       logger?.error(
-        "code verifier not found, a code verifier should exist when calling this method.")
+        "code verifier not found, a code verifier should exist when calling this method."
+      )
     }
 
     let session: Session = try await api.execute(
@@ -804,7 +805,8 @@ public actor AuthClient {
     case .implicit:
       guard isImplicitGrantFlow(params: params) else {
         throw AuthError.implicitGrantRedirect(
-          message: "Not a valid implicit grant flow URL: \(url)")
+          message: "Not a valid implicit grant flow URL: \(url)"
+        )
       }
       return try await handleImplicitGrantFlow(params: params)
 
@@ -821,7 +823,8 @@ public actor AuthClient {
 
     if let errorDescription = params["error_description"] {
       throw AuthError.implicitGrantRedirect(
-        message: errorDescription.replacingOccurrences(of: "+", with: " "))
+        message: errorDescription.replacingOccurrences(of: "+", with: " ")
+      )
     }
 
     guard
@@ -1177,6 +1180,30 @@ public actor AuthClient {
     try await user().identities ?? []
   }
 
+  /// Link an identity to the current user using an ID token.
+  @discardableResult
+  public func linkIdentityWithIdToken(
+    credentials: OpenIDConnectCredentials
+  ) async throws -> Session {
+    var credentials = credentials
+    credentials.linkIdentity = true
+
+    let session = try await api.execute(
+      .init(
+        url: configuration.url.appendingPathComponent("token"),
+        method: .post,
+        query: [URLQueryItem(name: "grant_type", value: "id_token")],
+        headers: [.authorization: "Bearer \(session.accessToken)"],
+        body: configuration.encoder.encode(credentials)
+      )
+    ).decoded(as: Session.self, decoder: configuration.decoder)
+
+    await sessionManager.update(session)
+    eventEmitter.emit(.userUpdated, session: session)
+
+    return session
+  }
+
   /// Links an OAuth identity to an existing user.
   ///
   /// This method supports the PKCE flow.
@@ -1378,7 +1405,8 @@ public actor AuthClient {
   ) throws -> URL {
     guard
       var components = URLComponents(
-        url: url, resolvingAgainstBaseURL: false
+        url: url,
+        resolvingAgainstBaseURL: false
       )
     else {
       throw URLError(.badURL)

Sources/Auth/Types.swift

@@ -336,6 +336,8 @@ public struct OpenIDConnectCredentials: Codable, Hashable, Sendable {
   /// Verification token received when the user completes the captcha on the site.
   public var gotrueMetaSecurity: AuthMetaSecurity?
 
+  var linkIdentity: Bool = false
+
   public init(
     provider: Provider,
     idToken: String,