Merge branch 'master' into iat/remove-create-extension-pg-trgm

Author: issuedat

hack/test_asymmetric.env

@@ -0,0 +1,135 @@
+GOTRUE_JWT_SECRET=X4dNv2oLvR7BnqmYk07Fi2NG2frvL2sxNQ9hxBJ65eDkFQ4He6qHrLJB9UrjYIZ1Rk0/yeh4vmihlCtxpFTeVQ==
+GOTRUE_JWT_KEYS=[{"kty":"oct","alg":"HS256","k":"WDRkTnYyb0x2UjdCbnFtWWswN0ZpMk5HMmZydkwyc3hOUTloeEJKNjVlRGtGUTRIZTZxSHJMSkI5VXJqWUlaMVJrMC95ZWg0dm1paGxDdHhwRlRlVlE9PQ","key_ops":["verify"],"kid":"jJmZzsVatG6yZMkn"},{"alg":"ES256","kid":"21a9eafe-24ab-4d10-960b-f949490f65e1","key_ops":["sign","verify"],"ext":true,"kty":"EC","x":"4vFbTWzvWn3qQv-9VUUlCK4tIMm_42raimXz2hywstU","y":"iggwYm-VfYTgBYKM4b0cyzmuHreNuR7x-986NUAvbAE","crv":"P-256","d":"DhhUbBJeGUwLlMO0SV-8U6idnsfsx5TOkZaJu-tsoF4"}]
+GOTRUE_JWT_EXP=3600
+GOTRUE_JWT_AUD="authenticated"
+GOTRUE_JWT_ADMIN_ROLES="supabase_admin,service_role"
+GOTRUE_JWT_DEFAULT_GROUP_NAME="authenticated"
+GOTRUE_DB_DRIVER=postgres
+DB_NAMESPACE="auth"
+GOTRUE_DB_AUTOMIGRATE=true
+DATABASE_URL="postgres://supabase_auth_admin:root@localhost:5432/postgres"
+GOTRUE_API_HOST=localhost
+PORT=9999
+API_EXTERNAL_URL="http://localhost:9999"
+GOTRUE_LOG_SQL=none
+GOTRUE_LOG_LEVEL=warn
+GOTRUE_SITE_URL=https://example.netlify.com
+GOTRUE_URI_ALLOW_LIST="http://localhost:3000,https://supabase.com/,http://localhost:5173/"
+GOTRUE_OPERATOR_TOKEN=foobar
+GOTRUE_EXTERNAL_APPLE_ENABLED=true
+GOTRUE_EXTERNAL_APPLE_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_APPLE_SECRET=testsecret
+GOTRUE_EXTERNAL_APPLE_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_AZURE_ENABLED=true
+GOTRUE_EXTERNAL_AZURE_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_AZURE_SECRET=testsecret
+GOTRUE_EXTERNAL_AZURE_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_BITBUCKET_ENABLED=true
+GOTRUE_EXTERNAL_BITBUCKET_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_BITBUCKET_SECRET=testsecret
+GOTRUE_EXTERNAL_BITBUCKET_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_DISCORD_ENABLED=true
+GOTRUE_EXTERNAL_DISCORD_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_DISCORD_SECRET=testsecret
+GOTRUE_EXTERNAL_DISCORD_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_FACEBOOK_ENABLED=true
+GOTRUE_EXTERNAL_FACEBOOK_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_FACEBOOK_SECRET=testsecret
+GOTRUE_EXTERNAL_FACEBOOK_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_FLY_ENABLED=true
+GOTRUE_EXTERNAL_FLY_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_FLY_SECRET=testsecret
+GOTRUE_EXTERNAL_FLY_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_FIGMA_ENABLED=true
+GOTRUE_EXTERNAL_FIGMA_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_FIGMA_SECRET=testsecret
+GOTRUE_EXTERNAL_FIGMA_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_GITHUB_ENABLED=true
+GOTRUE_EXTERNAL_GITHUB_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_GITHUB_SECRET=testsecret
+GOTRUE_EXTERNAL_GITHUB_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_KAKAO_ENABLED=true
+GOTRUE_EXTERNAL_KAKAO_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_KAKAO_SECRET=testsecret
+GOTRUE_EXTERNAL_KAKAO_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_KEYCLOAK_ENABLED=true
+GOTRUE_EXTERNAL_KEYCLOAK_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_KEYCLOAK_SECRET=testsecret
+GOTRUE_EXTERNAL_KEYCLOAK_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_KEYCLOAK_URL=https://keycloak.example.com/auth/realms/myrealm
+GOTRUE_EXTERNAL_LINKEDIN_ENABLED=true
+GOTRUE_EXTERNAL_LINKEDIN_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_LINKEDIN_SECRET=testsecret
+GOTRUE_EXTERNAL_LINKEDIN_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_LINKEDIN_OIDC_ENABLED=true
+GOTRUE_EXTERNAL_LINKEDIN_OIDC_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_LINKEDIN_OIDC_SECRET=testsecret
+GOTRUE_EXTERNAL_LINKEDIN_OIDC_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_GITLAB_ENABLED=true
+GOTRUE_EXTERNAL_GITLAB_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_GITLAB_SECRET=testsecret
+GOTRUE_EXTERNAL_GITLAB_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_GOOGLE_ENABLED=true
+GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_GOOGLE_SECRET=testsecret
+GOTRUE_EXTERNAL_GOOGLE_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_NOTION_ENABLED=true
+GOTRUE_EXTERNAL_NOTION_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_NOTION_SECRET=testsecret
+GOTRUE_EXTERNAL_NOTION_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_SNAPCHAT_ENABLED=true
+GOTRUE_EXTERNAL_SNAPCHAT_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_SNAPCHAT_SECRET=testsecret
+GOTRUE_EXTERNAL_SNAPCHAT_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_SNAPCHAT_EMAIL_OPTIONAL=true
+GOTRUE_EXTERNAL_SPOTIFY_ENABLED=true
+GOTRUE_EXTERNAL_SPOTIFY_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_SPOTIFY_SECRET=testsecret
+GOTRUE_EXTERNAL_SPOTIFY_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_SLACK_ENABLED=true
+GOTRUE_EXTERNAL_SLACK_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_SLACK_SECRET=testsecret
+GOTRUE_EXTERNAL_SLACK_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_SLACK_OIDC_ENABLED=true
+GOTRUE_EXTERNAL_SLACK_OIDC_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_SLACK_OIDC_SECRET=testsecret
+GOTRUE_EXTERNAL_SLACK_OIDC_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_WORKOS_ENABLED=true
+GOTRUE_EXTERNAL_WORKOS_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_WORKOS_SECRET=testsecret
+GOTRUE_EXTERNAL_WORKOS_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_TWITCH_ENABLED=true
+GOTRUE_EXTERNAL_TWITCH_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_TWITCH_SECRET=testsecret
+GOTRUE_EXTERNAL_TWITCH_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_TWITTER_ENABLED=true
+GOTRUE_EXTERNAL_TWITTER_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_TWITTER_SECRET=testsecret
+GOTRUE_EXTERNAL_TWITTER_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_ZOOM_ENABLED=true
+GOTRUE_EXTERNAL_ZOOM_CLIENT_ID=testclientid
+GOTRUE_EXTERNAL_ZOOM_SECRET=testsecret
+GOTRUE_EXTERNAL_ZOOM_REDIRECT_URI=https://identity.services.netlify.com/callback
+GOTRUE_EXTERNAL_FLOW_STATE_EXPIRY_DURATION="300s"
+GOTRUE_EXTERNAL_WEB3_SOLANA_ENABLED="true"
+GOTRUE_RATE_LIMIT_VERIFY="100000"
+GOTRUE_RATE_LIMIT_TOKEN_REFRESH="30"
+GOTRUE_RATE_LIMIT_ANONYMOUS_USERS="5"
+GOTRUE_RATE_LIMIT_HEADER="My-Custom-Header"
+GOTRUE_TRACING_ENABLED=true
+GOTRUE_TRACING_EXPORTER=default
+GOTRUE_TRACING_HOST=127.0.0.1
+GOTRUE_TRACING_PORT=8126
+GOTRUE_TRACING_TAGS="env:test"
+GOTRUE_SECURITY_CAPTCHA_ENABLED="false"
+GOTRUE_SECURITY_CAPTCHA_PROVIDER="hcaptcha"
+GOTRUE_SECURITY_CAPTCHA_SECRET="0x0000000000000000000000000000000000000000"
+GOTRUE_SECURITY_CAPTCHA_TIMEOUT="10s"
+GOTRUE_SAML_ENABLED="true"
+GOTRUE_SAML_PRIVATE_KEY="MIIEowIBAAKCAQEAszrVveMQcSsa0Y+zN1ZFb19cRS0jn4UgIHTprW2tVBmO2PABzjY3XFCfx6vPirMAPWBYpsKmXrvm1tr0A6DZYmA8YmJd937VUQ67fa6DMyppBYTjNgGEkEhmKuszvF3MARsIKCGtZqUrmS7UG4404wYxVppnr2EYm3RGtHlkYsXu20MBqSDXP47bQP+PkJqC3BuNGk3xt5UHl2FSFpTHelkI6lBynw16B+lUT1F96SERNDaMqi/TRsZdGe5mB/29ngC/QBMpEbRBLNRir5iUevKS7Pn4aph9Qjaxx/97siktK210FJT23KjHpgcUfjoQ6BgPBTLtEeQdRyDuc/CgfwIDAQABAoIBAGYDWOEpupQPSsZ4mjMnAYJwrp4ZISuMpEqVAORbhspVeb70bLKonT4IDcmiexCg7cQBcLQKGpPVM4CbQ0RFazXZPMVq470ZDeWDEyhoCfk3bGtdxc1Zc9CDxNMs6FeQs6r1beEZug6weG5J/yRn/qYxQife3qEuDMl+lzfl2EN3HYVOSnBmdt50dxRuX26iW3nqqbMRqYn9OHuJ1LvRRfYeyVKqgC5vgt/6Tf7DAJwGe0dD7q08byHV8DBZ0pnMVU0bYpf1GTgMibgjnLjK//EVWafFHtN+RXcjzGmyJrk3+7ZyPUpzpDjO21kpzUQLrpEkkBRnmg6bwHnSrBr8avECgYEA3pq1PTCAOuLQoIm1CWR9/dhkbJQiKTJevlWV8slXQLR50P0WvI2RdFuSxlWmA4xZej8s4e7iD3MYye6SBsQHygOVGc4efvvEZV8/XTlDdyj7iLVGhnEmu2r7AFKzy8cOvXx0QcLg+zNd7vxZv/8D3Qj9Jje2LjLHKM5n/dZ3RzUCgYEAzh5Lo2anc4WN8faLGt7rPkGQF+7/18ImQE11joHWa3LzAEy7FbeOGpE/vhOv5umq5M/KlWFIRahMEQv4RusieHWI19ZLIP+JwQFxWxS+cPp3xOiGcquSAZnlyVSxZ//dlVgaZq2o2MfrxECcovRlaknl2csyf+HjFFwKlNxHm2MCgYAr//R3BdEy0oZeVRndo2lr9YvUEmu2LOihQpWDCd0fQw0ZDA2kc28eysL2RROte95r1XTvq6IvX5a0w11FzRWlDpQ4J4/LlcQ6LVt+98SoFwew+/PWuyLmxLycUbyMOOpm9eSc4wJJZNvaUzMCSkvfMtmm5jgyZYMMQ9A2Ul/9SQKBgB9mfh9mhBwVPIqgBJETZMMXOdxrjI5SBYHGSyJqpT+5Q0vIZLfqPrvNZOiQFzwWXPJ+tV4Mc/YorW3rZOdo6tdvEGnRO6DLTTEaByrY/io3/gcBZXoSqSuVRmxleqFdWWRnB56c1hwwWLqNHU+1671FhL6pNghFYVK4suP6qu4BAoGBAMk+VipXcIlD67mfGrET/xDqiWWBZtgTzTMjTpODhDY1GZck1eb4CQMP5j5V3gFJ4cSgWDJvnWg8rcz0unz/q4aeMGl1rah5WNDWj1QKWMS6vJhMHM/rqN1WHWR0ZnV83svYgtg0zDnQKlLujqW4JmGXLMU7ur6a+e6lpa1fvLsP"
+GOTRUE_MAX_VERIFIED_FACTORS=10
+GOTRUE_SMS_TEST_OTP_VALID_UNTIL=""
+GOTRUE_SECURITY_DB_ENCRYPTION_ENCRYPT=true
+GOTRUE_SECURITY_DB_ENCRYPTION_ENCRYPTION_KEY_ID=abc
+GOTRUE_SECURITY_DB_ENCRYPTION_ENCRYPTION_KEY=pwFoiPyybQMqNmYVN0gUnpbfpGQV2sDv9vp0ZAxi_Y4
+GOTRUE_SECURITY_DB_ENCRYPTION_DECRYPTION_KEYS=abc:pwFoiPyybQMqNmYVN0gUnpbfpGQV2sDv9vp0ZAxi_Y4

internal/api/api.go

@@ -175,10 +175,12 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 
 	r.Get("/health", api.HealthCheck)
 	r.Get("/.well-known/jwks.json", api.WellKnownJwks)
-	r.Get("/.well-known/openid-configuration", api.WellKnownOpenID)
 
+	// Both OIDC Discovery and OAuth Authorization Server Metadata use the same unified handler
+	// OIDC Discovery is an extension of RFC 8414, so one response satisfies both specs
+	r.Get("/.well-known/openid-configuration", api.WellKnownOpenID)
 	if globalConfig.OAuthServer.Enabled {
-		r.Get("/.well-known/oauth-authorization-server", api.oauthServer.OAuthServerMetadata)
+		r.Get("/.well-known/oauth-authorization-server", api.WellKnownOpenID)
 	}
 
 	r.Route("/callback", func(r *router) {
@@ -374,6 +376,9 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 				// OAuth Token endpoint (public, with client authentication)
 				r.With(api.requireOAuthClientAuth).Post("/token", api.oauthServer.OAuthToken)
 
+				// OIDC UserInfo endpoint (requires user authentication via Bearer token)
+				r.With(api.requireAuthentication).Get("/userinfo", api.oauthServer.OAuthUserInfo)
+
 				// OAuth 2.1 Authorization endpoints
 				// `/authorize` to initiate OAuth2 authorization code flow where Supabase Auth is the OAuth2 provider
 				r.Get("/authorize", api.oauthServer.OAuthServerAuthorize)

internal/api/auth.go

@@ -10,6 +10,7 @@ import (
 	"github.com/gofrs/uuid"
 	jwt "github.com/golang-jwt/jwt/v5"
 	"github.com/supabase/auth/internal/api/apierrors"
+	"github.com/supabase/auth/internal/api/shared"
 	"github.com/supabase/auth/internal/conf"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/storage"
@@ -147,6 +148,8 @@ func (a *API) maybeLoadUserOrSession(ctx context.Context) (context.Context, erro
 			return ctx, err
 		}
 		ctx = withSession(ctx, session)
+		// Also store in shared context for cross-package access (e.g., oauthserver package)
+		ctx = shared.WithSession(ctx, session)
 	}
 	return ctx, nil
 }

internal/api/jwks.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	jwk "github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/supabase/auth/internal/models"
 )
 
 type JwksResponse struct {
@@ -29,18 +30,91 @@ func (a *API) WellKnownJwks(w http.ResponseWriter, r *http.Request) error {
 	return sendJSON(w, http.StatusOK, resp)
 }
 
+// OpenIDConfigurationResponse represents both OIDC Discovery and OAuth 2.0 Authorization Server Metadata
+// This unified response serves both:
+// - /.well-known/openid-configuration (OIDC Discovery per OpenID Connect Discovery 1.0)
+// - /.well-known/oauth-authorization-server (OAuth Authorization Server Metadata per RFC 8414)
+//
+// Since OIDC Discovery extends RFC 8414, a single response structure satisfies both specifications.
 type OpenIDConfigurationResponse struct {
-	Issuer  string `json:"issuer"`
-	JWKSURL string `json:"jwks_uri"`
+	// Core Discovery Fields (Required by both OIDC and OAuth 2.0)
+	Issuer                string `json:"issuer"`
+	AuthorizationEndpoint string `json:"authorization_endpoint"`
+	TokenEndpoint         string `json:"token_endpoint"`
+	JWKSURL               string `json:"jwks_uri"`
+	UserInfoEndpoint      string `json:"userinfo_endpoint,omitempty"` // OIDC-specific
+	RegistrationEndpoint  string `json:"registration_endpoint,omitempty"`
+
+	// Supported Parameters
+	ScopesSupported                   []string `json:"scopes_supported,omitempty"`
+	ResponseTypesSupported            []string `json:"response_types_supported"`
+	ResponseModesSupported            []string `json:"response_modes_supported,omitempty"`
+	GrantTypesSupported               []string `json:"grant_types_supported"`
+	SubjectTypesSupported             []string `json:"subject_types_supported"`               // OIDC-specific
+	IDTokenSigningAlgValuesSupported  []string `json:"id_token_signing_alg_values_supported"` // OIDC-specific
+	TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
+	ClaimsSupported                   []string `json:"claims_supported,omitempty"`       // OIDC-specific
+	CodeChallengeMethodsSupported     []string `json:"code_challenge_methods_supported"` // OAuth 2.1/PKCE
 }
 
+// WellKnownOpenID handles both OIDC Discovery and OAuth 2.0 Authorization Server Metadata endpoints
+// This unified handler serves:
+// - GET /.well-known/openid-configuration (OIDC Discovery)
+// - GET /.well-known/oauth-authorization-server (RFC 8414)
+//
+// Both endpoints return the same comprehensive metadata since OIDC Discovery is a superset of OAuth 2.0 metadata
 func (a *API) WellKnownOpenID(w http.ResponseWriter, r *http.Request) error {
 	config := a.config
+	issuer := config.JWT.Issuer
+
+	// Ensure issuer doesn't end with a slash to avoid double slashes in URLs
+	for len(issuer) > 0 && issuer[len(issuer)-1] == '/' {
+		issuer = issuer[:len(issuer)-1]
+	}
+
+	response := OpenIDConfigurationResponse{
+		Issuer:                config.JWT.Issuer,
+		AuthorizationEndpoint: issuer + "/oauth/authorize",
+		TokenEndpoint:         issuer + "/oauth/token",
+		JWKSURL:               issuer + "/.well-known/jwks.json",
+		UserInfoEndpoint:      issuer + "/oauth/userinfo",
+
+		// OAuth 2.1 / OIDC Supported Features
+		ResponseTypesSupported:            []string{"code"},
+		ResponseModesSupported:            []string{"query"},
+		GrantTypesSupported:               []string{"authorization_code", "refresh_token"},
+		SubjectTypesSupported:             []string{"public"},
+		IDTokenSigningAlgValuesSupported:  []string{"RS256", "HS256", "ES256"}, // TODO :: should create this based on signing key config?
+		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post", "none"},
+		CodeChallengeMethodsSupported:     []string{"S256", "plain"},
+		ScopesSupported:                   models.SupportedOAuthScopes,
+
+		// OIDC Standard Claims
+		ClaimsSupported: []string{
+			"sub",
+			"aud",
+			"iss",
+			"exp",
+			"iat",
+			"auth_time",
+			"nonce",
+			"email",
+			"email_verified",
+			"phone_number",
+			"phone_number_verified",
+			"name",
+			"picture",
+			"preferred_username",
+			"updated_at",
+		},
+	}
+
+	// Include registration endpoint if dynamic registration is enabled
+	if config.OAuthServer.Enabled && config.OAuthServer.AllowDynamicRegistration {
+		response.RegistrationEndpoint = issuer + "/oauth/clients/register"
+	}
 
 	w.Header().Set("Cache-Control", "public, max-age=600")
 
-	return sendJSON(w, http.StatusOK, OpenIDConfigurationResponse{
-		Issuer:  config.JWT.Issuer,
-		JWKSURL: config.JWT.Issuer + "/.well-known/jwks.json",
-	})
+	return sendJSON(w, http.StatusOK, response)
 }

internal/api/oauthserver/authorize.go

@@ -30,6 +30,7 @@ type AuthorizeParams struct {
 	Resource            string `json:"resource"`
 	CodeChallenge       string `json:"code_challenge"`
 	CodeChallengeMethod string `json:"code_challenge_method"`
+	Nonce               string `json:"nonce"` // OIDC nonce parameter
 }
 
 // AuthorizationDetailsResponse represents the response for getting authorization details
@@ -96,6 +97,7 @@ func (s *Server) OAuthServerAuthorize(w http.ResponseWriter, r *http.Request) er
 		Resource:            query.Get("resource"),
 		CodeChallenge:       query.Get("code_challenge"),
 		CodeChallengeMethod: query.Get("code_challenge_method"),
+		Nonce:               query.Get("nonce"),
 	}
 
 	// validate basic required parameters (client_id, redirect_uri)
@@ -134,15 +136,17 @@ func (s *Server) OAuthServerAuthorize(w http.ResponseWriter, r *http.Request) er
 	}
 
 	// Store authorization request in database (without user initially)
-	authorization := models.NewOAuthServerAuthorization(
-		client.ID, // Use the client's UUID instead of the public client_id string
-		params.RedirectURI,
-		params.Scope,
-		params.State,
-		params.Resource,
-		params.CodeChallenge,
-		params.CodeChallengeMethod,
-	)
+	authorization := models.NewOAuthServerAuthorization(models.NewOAuthServerAuthorizationParams{
+		ClientID:            client.ID,
+		RedirectURI:         params.RedirectURI,
+		Scope:               params.Scope,
+		State:               params.State,
+		Resource:            params.Resource,
+		CodeChallenge:       params.CodeChallenge,
+		CodeChallengeMethod: params.CodeChallengeMethod,
+		TTL:                 config.OAuthServer.AuthorizationTTL,
+		Nonce:               params.Nonce,
+	})
 
 	if err := models.CreateOAuthServerAuthorization(db, authorization); err != nil {
 		// Error creating authorization - redirect with server_error
@@ -457,6 +461,11 @@ func (s *Server) validateRemainingAuthorizeParams(params *AuthorizeParams) error
 		return errors.New("only response_type=code is supported")
 	}
 
+	// Validate scopes
+	if err := s.validateScopes(params.Scope); err != nil {
+		return err
+	}
+
 	// Resource parameter validation (per RFC 8707)
 	if err := s.validateResourceParam(params.Resource); err != nil {
 		return err
@@ -521,6 +530,27 @@ func (s *Server) validateResourceParam(resource string) error {
 	return nil
 }
 
+// validateScopes validates the requested scopes
+func (s *Server) validateScopes(scopeString string) error {
+	if scopeString == "" {
+		return errors.New("scope parameter is required")
+	}
+
+	scopes := models.ParseScopeString(scopeString)
+	if len(scopes) == 0 {
+		return errors.New("scope parameter cannot be empty")
+	}
+
+	// Validate each scope against the centrally defined supported scopes
+	for _, scope := range scopes {
+		if !models.IsSupportedScope(scope) {
+			return fmt.Errorf("unsupported scope: %s", scope)
+		}
+	}
+
+	return nil
+}
+
 func (s *Server) isValidRedirectURI(client *models.OAuthServerClient, redirectURI string) bool {
 	registeredURIs := client.GetRedirectURIs()
 	for _, registeredURI := range registeredURIs {