Skip to content

Make PKCE optional for confidential clients in the OAuth server #2585

Description

@gormster

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

As described in https://github.com/orgs/supabase/discussions/44326. Many significant OAuth consumers do not provide PKCE challenges, and it seems unlikely that they will do so in the near future. The original thread is about Shopify, my issue is with Microsoft Power Platform Connectors. Both big hitters, both slow to move.

To Reproduce

This is the specific steps for Power Automate, but it applies

  1. Activate the OAuth server in Supabase (and implement the OAuth consent UI as described in the docs)
  2. Create a confidential client. (You'll have to enter a temporary redirect URI as Power Automate doesn't give you one until you save the connector)
  3. Create a custom connector in Power Automate (you can create a functional one with the OpenAPI spec you can download from the /rest/v1/ endpoint, but it's not really necessary for this test; you just need to get to the "Test" stage of the custom connector building step)
  4. Set the authentication type in the connector to OAuth 2.0 and fill in the fields from your Supabase OAuth Server info.
  5. Update the client registration in Supabase replacing the temporary redirect URI with the real one from PA
  6. Proceed to the testing phase of creating the custom connector
  7. Click "New Connection" to sign in to the custom connector

Expected behavior

The popup window should display the UI for sign in and complete the authorization flow.

Actual behavior

The sign in window opens briefly and then instantly closes without creating a connection.

The instant closing is more an issue on Microsoft's end – if you disable window.close in the popup, you can see that the URI it's come back with has an error message, base64 encoded. When decoded it reads:

Failure passed to redirect url.
error=invalid_request
error_description=PKCE flow requires both code_challenge and code_challenge_method

System information

  • OS: macOS 26.5 (25F71)
  • Browser (if applies): Chrome, Safari
  • Version of supabase-js: 2.108.2
  • Version of Node.js: n/a

Additional context

@Nickalus12 mentioned on the original discussion "It's worth raising this as a specific compatibility request in the supabase/auth repo" which @jedsaxon said they would but apparently didn't (no shade, Jed I've done it myself plenty of times! Life gets in the way!) so I'm raising it now.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions