Skip to content

feat(gotrue): add custom OAuth providers admin API with custom_claims_allowlist#1519

Open
spydon wants to merge 7 commits into
mainfrom
lukasklingsbo/sdk-1173-parityauth-add-custom_claims_allowlist-to-custom-providers
Open

feat(gotrue): add custom OAuth providers admin API with custom_claims_allowlist#1519
spydon wants to merge 7 commits into
mainfrom
lukasklingsbo/sdk-1173-parityauth-add-custom_claims_allowlist-to-custom-providers

Conversation

@spydon

@spydon spydon commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

What

Implements the custom OAuth/OIDC providers admin API in gotrue, exposed as client.auth.admin.customProviders, mirroring the admin.customProviders API in supabase-js (/admin/custom-providers). This is distinct from the existing OAuth 2.1 server clients API (admin.oauth).

Resolves SDK-1173.

The parity issue asked to add custom_claims_allowlist to the custom providers admin types, but that API did not exist in the Flutter SDK at all, so this adds the full surface including the field.

Changes

  • New GoTrueAdminCustomProvidersApi with listProviders({type}), createProvider, getProvider, updateProvider, deleteProvider.
  • Wired into GoTrueAdminApi as admin.customProviders.
  • New types: CustomProviderType, OIDCDiscoveryDocument, CustomOAuthProvider, CreateCustomProviderParams, UpdateCustomProviderParams.
  • All three provider types carry customClaimsAllowlist (serialized as custom_claims_allowlist), an opt-in allowlist of raw identity provider claim keys copied verbatim into the user's custom_claims. Optional, absent by default.

Usage

await supabase.auth.admin.customProviders.createProvider(
  CreateCustomProviderParams(
    providerType: CustomProviderType.oidc,
    identifier: 'custom:mycompany',
    name: 'My Company',
    clientId: '...',
    clientSecret: '...',
    customClaimsAllowlist: ['groups', 'org_id', 'mail'],
  ),
);

Tests

  • Unit tests for serialization/deserialization of custom_claims_allowlist (present, absent, empty) across the create/update/read types.
  • Integration tests covering create/list/list-by-type/get/update/delete against a live gotrue server.

Integration tests use OAuth2 providers (OIDC creation triggers a server-side discovery-document fetch, which would be network-dependent). They do not assert customClaimsAllowlist round-trips through the server, since the auth image bundled with the pinned Supabase CLI accepts the field but does not yet echo it in responses; serialization is covered by the unit tests.

…_allowlist

Adds admin.customProviders with list/create/get/update/delete for custom
OIDC/OAuth providers, mirroring supabase-js. The create, update, and read
types carry the custom_claims_allowlist field for copying raw identity
provider claims into the user's custom_claims.
@spydon spydon requested a review from a team as a code owner July 2, 2026 11:40
@github-actions github-actions Bot added the auth This issue or pull request is related to authentication label Jul 2, 2026
@spydon spydon marked this pull request as draft July 2, 2026 14:14
…e enum name

Moves the custom OAuth provider admin types out of types.dart into
custom_oauth_provider.dart, and drops the redundant CustomProviderType.value
in favour of the enum's built-in name.
@spydon spydon marked this pull request as ready for review July 2, 2026 14:26
@Vinzent03

Copy link
Copy Markdown
Collaborator

I actually already vibe coded this api locally for a project right when the api came out 2 months ago, because I needed it for a project, but never took the time to polish it and create the pr 😅

@spydon

spydon commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

I actually already vibe coded this api locally for a project right when the api came out 2 months ago, because I needed it for a project, but never took the time to polish it and create the pr 😅

Sounds like you're the perfect person to review this then 😁

Comment thread packages/gotrue/lib/src/types/custom_oauth_provider.dart Outdated
Comment thread packages/gotrue/lib/src/types/custom_oauth_provider.dart Outdated
Comment thread packages/gotrue/lib/src/gotrue_admin_custom_providers_api.dart Outdated
spydon added 3 commits July 6, 2026 11:16
…3-parityauth-add-custom_claims_allowlist-to-custom-providers
- Parse provider timestamps into DateTime instead of String
- Use null-aware map elements in the params toJson methods
- Document validation errors as AuthException with a validation_failed code
…h-add-custom_claims_allowlist-to-custom-providers' into lukasklingsbo/sdk-1173-parityauth-add-custom_claims_allowlist-to-custom-providers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

auth This issue or pull request is related to authentication

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants