Skip to content

fix token_endpoint_auth_method for public clients #2310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Rodriguespn wants to merge 2 commits into from
Closed

fix token_endpoint_auth_method for public clients #2310

Rodriguespn wants to merge 2 commits into from

Conversation

@Rodriguespn
Copy link

@Rodriguespn Rodriguespn commented Jan 2, 2026
edited
Loading

⚠️ This PR is under development - Please do not merge until marked as ready for review.

What kind of change does this PR introduce?

Bug fix

What is the current behavior?

When registering an OAuth client via dynamic client registration (POST /oauth/clients/register), the request fails with a NULL constraint violation:

ERROR: null value in column "token_endpoint_auth_method" of relation "oauth_clients" violates not-null constraint (SQLSTATE 23502)

This happens because:

  1. The hosted database has the token_endpoint_auth_method column with a NOT NULL constraint (added via a hosted-only migration)
  2. The OAuthServerClient model doesn't have the TokenEndpointAuthMethod field
  3. registerOAuthServerClient never sets this field when creating a new client

What is the new behavior?

The token_endpoint_auth_method is now properly set during OAuth client registration:

  • If explicitly provided in the request, that value is used
  • For public clients, defaults to "none"
  • For confidential clients, defaults to "client_secret_basic"

Additional context

This fix is required for MCP (Model Context Protocol) authentication to work with Supabase Auth as the OAuth provider. MCP clients like Claude Code check the /.well-known/oauth-authorization-server endpoint and if "none" is listed in token_endpoint_auth_methods_supported, they register as public clients with token_endpoint_auth_method=none.

Changes

  • Added TokenEndpointAuthMethod field to OAuthServerClient struct
  • Added DetermineTokenEndpointAuthMethod() function to determine the auth method based on explicit value or client type defaults
  • Updated registerOAuthServerClient to set TokenEndpointAuthMethod when creating clients
  • Removed the TODO workaround in oauthServerClientToResponse - now uses the stored value directly
  • Added migration for open-source deployments to create the column and backfill existing data
  • Added unit tests for DetermineTokenEndpointAuthMethod

@Rodriguespn Rodriguespn requested a review from cemalkilic January 2, 2026 19:47
@coveralls
Copy link

coveralls commented Jan 2, 2026

Pull Request Test Coverage Report for Build 20665607914

Details

  • 24 of 24 (100.0%) changed or added relevant lines in 3 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.02%) to 68.804%
Totals Coverage Status
Change from base Build 20599680500: 0.02%
Covered Lines: 14753
Relevant Lines: 21442
💛 - Coveralls

@Rodriguespn
Copy link
Author

Rodriguespn commented Jan 5, 2026

Solved in this PR

@Rodriguespn Rodriguespn closed this Jan 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cemalkilic cemalkilic Awaiting requested review from cemalkilic

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Rodriguespn @coveralls