Bug report
Describe the bug
As described in https://github.com/orgs/supabase/discussions/44326. Many significant OAuth consumers do not provide PKCE challenges, and it seems unlikely that they will do so in the near future. The original thread is about Shopify, my issue is with Microsoft Power Platform Connectors. Both big hitters, both slow to move.
To Reproduce
This is the specific steps for Power Automate, but it applies
- Activate the OAuth server in Supabase (and implement the OAuth consent UI as described in the docs)
- Create a confidential client. (You'll have to enter a temporary redirect URI as Power Automate doesn't give you one until you save the connector)
- Create a custom connector in Power Automate (you can create a functional one with the OpenAPI spec you can download from the /rest/v1/ endpoint, but it's not really necessary for this test; you just need to get to the "Test" stage of the custom connector building step)
- Set the authentication type in the connector to OAuth 2.0 and fill in the fields from your Supabase OAuth Server info.
- Update the client registration in Supabase replacing the temporary redirect URI with the real one from PA
- Proceed to the testing phase of creating the custom connector
- Click "New Connection" to sign in to the custom connector
Expected behavior
The popup window should display the UI for sign in and complete the authorization flow.
Actual behavior
The sign in window opens briefly and then instantly closes without creating a connection.
The instant closing is more an issue on Microsoft's end – if you disable window.close in the popup, you can see that the URI it's come back with has an error message, base64 encoded. When decoded it reads:
Failure passed to redirect url.
error=invalid_request
error_description=PKCE flow requires both code_challenge and code_challenge_method
System information
- OS: macOS 26.5 (25F71)
- Browser (if applies): Chrome, Safari
- Version of supabase-js: 2.108.2
- Version of Node.js: n/a
Additional context
@Nickalus12 mentioned on the original discussion "It's worth raising this as a specific compatibility request in the supabase/auth repo" which @jedsaxon said they would but apparently didn't (no shade, Jed I've done it myself plenty of times! Life gets in the way!) so I'm raising it now.
Bug report
Describe the bug
As described in https://github.com/orgs/supabase/discussions/44326. Many significant OAuth consumers do not provide PKCE challenges, and it seems unlikely that they will do so in the near future. The original thread is about Shopify, my issue is with Microsoft Power Platform Connectors. Both big hitters, both slow to move.
To Reproduce
This is the specific steps for Power Automate, but it applies
Expected behavior
The popup window should display the UI for sign in and complete the authorization flow.
Actual behavior
The sign in window opens briefly and then instantly closes without creating a connection.
The instant closing is more an issue on Microsoft's end – if you disable
window.closein the popup, you can see that the URI it's come back with has an error message, base64 encoded. When decoded it reads:System information
Additional context
@Nickalus12 mentioned on the original discussion "It's worth raising this as a specific compatibility request in the supabase/auth repo" which @jedsaxon said they would but apparently didn't (no shade, Jed I've done it myself plenty of times! Life gets in the way!) so I'm raising it now.