feat(auth): add OAuth server configuration support (#4207)

* feat(auth): add OAuth server configuration support

* Update internal/start/start.go

Co-authored-by: Han Qiao <[email protected]>

* chore: `authorization_url` -> `authorization_url_path`

* feat: update testdata

* fix: commit missing change

---------

Co-authored-by: Han Qiao <[email protected]>

Author: cemalkilic

internal/start/start.go

@@ -699,6 +699,15 @@ EOF
 		}
 		env = append(env, fmt.Sprintf("GOTRUE_EXTERNAL_WEB3_SOLANA_ENABLED=%v", utils.Config.Auth.Web3.Solana.Enabled))
 
+		// OAuth server configuration
+		if utils.Config.Auth.OAuthServer.Enabled {
+			env = append(env,
+				fmt.Sprintf("GOTRUE_OAUTH_SERVER_ENABLED=%v", utils.Config.Auth.OAuthServer.Enabled),
+				"GOTRUE_OAUTH_SERVER_AUTHORIZATION_PATH="+utils.Config.Auth.OAuthServer.AuthorizationUrlPath,
+				fmt.Sprintf("GOTRUE_OAUTH_SERVER_ALLOW_DYNAMIC_REGISTRATION=%v", utils.Config.Auth.OAuthServer.AllowDynamicRegistration),
+			)
+		}
+
 		if _, err := utils.DockerStart(
 			ctx,
 			container.Config{

pkg/config/auth.go

@@ -162,15 +162,16 @@ type (
 		SigningKeysPath            string               `toml:"signing_keys_path"`
 		SigningKeys                []JWK                `toml:"-"`
 
-		RateLimit rateLimit `toml:"rate_limit"`
-		Captcha   *captcha  `toml:"captcha"`
-		Hook      hook      `toml:"hook"`
-		MFA       mfa       `toml:"mfa"`
-		Sessions  sessions  `toml:"sessions"`
-		Email     email     `toml:"email"`
-		Sms       sms       `toml:"sms"`
-		External  external  `toml:"external"`
-		Web3      web3      `toml:"web3"`
+		RateLimit   rateLimit   `toml:"rate_limit"`
+		Captcha     *captcha    `toml:"captcha"`
+		Hook        hook        `toml:"hook"`
+		MFA         mfa         `toml:"mfa"`
+		Sessions    sessions    `toml:"sessions"`
+		Email       email       `toml:"email"`
+		Sms         sms         `toml:"sms"`
+		External    external    `toml:"external"`
+		Web3        web3        `toml:"web3"`
+		OAuthServer OAuthServer `toml:"oauth_server"`
 
 		// Custom secrets can be injected from .env file
 		PublishableKey Secret `toml:"publishable_key"`
@@ -368,6 +369,12 @@ type (
 		Solana   solana   `toml:"solana"`
 		Ethereum ethereum `toml:"ethereum"`
 	}
+
+	OAuthServer struct {
+		Enabled                  bool   `toml:"enabled"`
+		AllowDynamicRegistration bool   `toml:"allow_dynamic_registration"`
+		AuthorizationUrlPath     string `toml:"authorization_url_path"`
+	}
 )
 
 func (a *auth) ToUpdateAuthConfigBody() v1API.UpdateAuthConfigBody {
@@ -399,6 +406,7 @@ func (a *auth) ToUpdateAuthConfigBody() v1API.UpdateAuthConfigBody {
 	a.Sms.toAuthConfigBody(&body)
 	a.External.toAuthConfigBody(&body)
 	a.Web3.toAuthConfigBody(&body)
+	a.OAuthServer.toAuthConfigBody(&body)
 	return body
 }
 
@@ -426,6 +434,7 @@ func (a *auth) FromRemoteAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 	a.Sms.fromAuthConfig(remoteConfig)
 	a.External.fromAuthConfig(remoteConfig)
 	a.Web3.fromAuthConfig(remoteConfig)
+	a.OAuthServer.fromAuthConfig(remoteConfig)
 }
 
 func (r rateLimit) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
@@ -1338,6 +1347,18 @@ func (w *web3) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
 	}
 }
 
+func (o OAuthServer) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
+	// TODO(cemal) :: implement me
+	// OAuth server configuration is behind a feature flag in the remote API
+	// Will be implemented when the feature reaches GA
+}
+
+func (o *OAuthServer) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
+	// TODO(cemal) :: implement me
+	// OAuth server configuration is behind a feature flag in the remote API
+	// Will be implemented when the feature reaches GA
+}
+
 func (a *auth) DiffWithRemote(remoteConfig v1API.AuthConfigResponse, filter ...func(string) bool) ([]byte, error) {
 	copy := a.Clone()
 	copy.FromRemoteAuthConfig(remoteConfig)

pkg/config/templates/Dockerfile

@@ -10,7 +10,7 @@ FROM darthsim/imgproxy:v3.8.0 AS imgproxy
 FROM supabase/edge-runtime:v1.69.12 AS edgeruntime
 FROM timberio/vector:0.28.1-alpine AS vector
 FROM supabase/supavisor:2.7.0 AS supavisor
-FROM supabase/gotrue:v2.179.0 AS gotrue
+FROM supabase/gotrue:v2.180.0 AS gotrue
 FROM supabase/realtime:v2.51.3 AS realtime
 FROM supabase/storage-api:v1.27.4 AS storage
 FROM supabase/logflare:1.22.3 AS logflare

pkg/config/templates/config.toml

@@ -304,6 +304,15 @@ enabled = false
 # Obtain from https://clerk.com/setup/supabase
 # domain = "example.clerk.accounts.dev"
 
+# OAuth server configuration
+[auth.oauth_server]
+# Enable OAuth server functionality
+enabled = false
+# Path for OAuth consent flow UI
+authorization_url_path = "/oauth/consent"
+# Allow dynamic client registration
+allow_dynamic_registration = false
+
 [edge_runtime]
 enabled = true
 # Supported request policies: `oneshot`, `per_worker`.

pkg/config/testdata/config.toml

@@ -144,6 +144,15 @@ minimum_password_length = 6
 # are: `letters_digits`, `lower_upper_letters_digits`, `lower_upper_letters_digits_symbols`
 password_requirements = ""
 
+# OAuth server configuration
+[auth.oauth_server]
+# Enable OAuth server functionality
+enabled = true
+# Path for OAuth consent flow UI
+authorization_url_path = "/oauth/consent"
+# Allow dynamic client registration
+allow_dynamic_registration = true
+
 [auth.rate_limit]
 # Number of emails that can be sent per hour. Requires auth.email.smtp to be enabled.
 email_sent = 2