oauth throws `unable to exchange external code` on a local `supabase/cli` setup with `auth-helpers-sveltekit`

[bhvngt]

Bug report

• [x] I confirm this is a bug with Supabase, not with my own application.
• [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

While testing oauth provider based SignIn using examples/sveltekit application, it works with hosted supabase project. However it fails to work when used with local supabase/cli setup.

So the question is, does the gotrue docker image used by supabase/cli supports pkce auth flow?

Or I am missing something here...

To Reproduce

Steps to reproduce the behaviour, please provide code snippets or a repository:

1. Clone supabase/auth-helpers
2. Follow steps described in README.md
3. Created .env file with following properties for using against supabase/cli

   PUBLIC_SUPABASE_URL=http://localhost:54321
   PUBLIC_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0

4. Installed supabase/cli by executing steps mentioned here
5. configured supabase/cli with following config.toml
6. My google oauth has two credentials
   • Local Development - Authorized Redirect URL is http://localhost:54321/auth/v1/callback
   • For Hosted Project - Authorized Redirect URL is <hosted_supabase_url>/auth/v1/callback
7. Initialised GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET env variable with Local Development credential
8. GOOGLE_REDIRECT_URI is set as http://localhost:54321/auth/v1/callback
9. Run pnpm dev --filter=@example/sveltekit
10. Click on Google
11. Consent screen appears
12. On choosing the google account
    • For hosted supabase project assuming .env file points to hosted supabase url and hosted supabase anon key
    • url is redirected to /auth/v1/callback with payload as state, code, prompt:none
    • url is further redirected to http://localhost:3001/api/auth/callback?code=<code passed from previous url>
      • finally session details are displayed with the signout button
    • For local supabase/cli assuming .env file points to http://localhost:54321 and supabase/cli anon key
    • url is redirected to /auth/v1/callback with payload as state, code, prompt:consent
    • url is further redirected to `http://localhost:3001/api/auth/callback with following error text

      {error' => 'server_error', 'error_description' => 'Unable to exchange external code: <previous code>' }

      • user is taken back to home page without any user session

Expected behavior

Local supabase/cli development should work just like the hosted supabase environment works for oauth login

Screenshots

System information

• OS: [e.g. macOS, Windows]: macOS
• Browser (if applies) [e.g. chrome, safari]: chrome
• Version of supabase-js: as defined in examples/sveltekit/package.json
• Version of Node.js: [e.g. 10.10.0] 20.5.0

[silentworks]

The examples in the repo is purely for developing with this repo and not for setting up as a project. I've tested OAuth with the supabase/cli in another repo and it works correctly https://github.com/supabase-community/supabase-by-example/tree/main/oauth-flow/sveltekit

[bhvngt]

Thanks @silentworks for your reply. I was using this repo as a reference to setup oAuth with my project. I somehow missed this particular example repo that you have shared.

I was able to make oAuth work when I tried your example locally. Thanks a ton for sharing the same.

I had missed setting up cookieOptions that is required for local server testing.