Closed kav closed 11 months ago
Is exactly what fails due to the issue. You can not implement an implicit grant oauth request within your application without go-true hijacking the returning request and assuming it's a supabase login.
I see, this makes some sense. I'll see what we can do about this in future major versions. There's no way for us to change the behavior now without breaking backward compatibility. Until then, you can use the detectSessionInUrl
option, which when set to false
won't pick up the implicit flow parameters from the OAuth redirect back to your application.
For example, if the OAuth redirect takes the user back to /oauth-callback
on your application, you can initialize GoTrueClient
like so:
new GoTrueClient({
detectSessionInUrl: window.location.pathname !== "/oauth-callback"
})
Or, when using supabase-js, something like:
createClient('...', '...', {
auth: {
detectSessionInUrl: window.location.pathname !== "/oauth-callback"
}
})
I'll close this as won't fix but will be addressed in v3.
We're running into https://github.com/supabase/gotrue-js/issues/527 but it was closed incorrectly as @hf seemed to not fully grok the issue. In fact their comment:
Is exactly what fails due to the issue. You can not implement an implicit grant oauth request within your application without go-true hijacking the returning request and assuming it's a supabase login.
Say for example my application uses supabase for auth but somewhere in my app I use an implicit grant flow to get access to a user's data on a third party site, not a supabase auth provider, just another site that uses implicit oauth grants to access data. gotrue-js hijacks the callback because it thinks it's seeing a incoming supabase grant when in fact it's seeing the third party grant. This not only blocks finishing the third-party grant it wipes the current supabase session.
Original issue details below.