auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

feat: add Supabase Auth identifier to OAuth redirect URLs

Open cemalkilic opened this issue 1 month ago • 4 comments

Summary

Adds a Supabase Auth identifier (sb) to URL fragments in all OAuth redirect responses to help clients distinguish Supabase Auth redirects from third-party OAuth flows.

Problem

auth-js GoTrueClient currently intercepts all URL fragments containing access_token, including those from non-Supabase OAuth providers. This causes unintended logouts and authentication issues when users have other OAuth flows in their applications.

Related issue: https://github.com/supabase/supabase-js/issues/1697

Solution

Added an empty sb parameter to the URL fragment in all redirect responses:

  • Success redirects with tokens (via AsRedirectURL)
  • Error redirects in OAuth callbacks (supabase-js has a __isAuthError, but adding it for error to be fault-tolerant, and non-supabase-sdk cases)
  • Error redirects in verification flows
  • Message redirects in verification flows

Example redirect URL: https://example.com/callback#access_token=xxx&refresh_token=yyy&expires_in=3600&sb

Clients can now check for the presence of sb in the fragment to confirm the redirect originated from Supabase Auth.

cemalkilic avatar Dec 16 '25 11:12 cemalkilic