Closed jfeaver closed 1 year ago
I've been attempting a workaround where I directly request a refresh from the GoTrue API or Google OAuth API directly but don't get back a new "provider_token" from the GoTrue API (based on the JS client behaviour, I guess I should have expected this) and can't get back a non-error response from Google OAuth API ("invalid_grant" error).
Maybe this is a GoTrue bug?
For now, I think the workaround for me is to use Supabase for authentication and handle OAuth API connections separately from Supabase.
Yeah, supabase doesn't handle refreshing the provider tokens.
supabase doesn't handle refreshing the provider tokens
Okay, thanks @j4w8n. That's good to know.
That being the case, I wish Supabase made it possible for me to initiate the OAuth with Google and then refresh those tokens on my own. As it is, I can't use Supabase for any step because the refresh tokens are not provided after Google OAuth (maybe this is the real issue). There's a provider_refresh_token
property but it's nullish for Google OAuth sessions even though Google's API documentation and OAuth Playground show that they provide refresh tokens.
I want Supabase to help with OAuth for API access but I'm looking at implementing it separately. This isn't hard but it was a bad experience working through the Supabase issues only to figure out that I couldn't use it (another "real issue" could be that Supabase needs documentation stating that they don't handle refreshing provider tokens). I'd like to reuse the OAuth capabilities of Supabase and keep consistency in my codebase rather than implement OAuth separately so if Supabase did handle refreshing provider tokens, that would be lovely.
I don't have Google oauth setup, so I can't confirm. You might hit up the discord server and ask there - if it returns a provider token.
While implementing OAuth for myself, I found out that Google OAuth requires an access_type=offline
URL param to be present in the initial authorization request. So... in order to get back a provider_refresh_token
, one must add that to the request. In my case, this means doing something like this in Step 1:
signInWithOAuth({
provider: "google",
options: {
queryParams: { access_type: "offline" },
scopes:
"https://www.googleapis.com/auth/calendar.readonly https://www.googleapis.com/auth/calendar.events.readonly",
redirectTo: url("/oauth/calendar/callback"),
},
});
After getting back the provider_refresh_token
, I still have to handle refreshing that token with Google as needed. Time to get back to work. :)
Hopefully this discussion will save someone else the hours of time I spent going through this all.
Bug report
Describe the bug
When a signed in user (with password) wants to connect to a Google calendar they are able to view the calendar for one hour until the session expires. At this time, the app refreshes the session. The refresh seems successful except that the refresh only refreshes the session with GoTrue but does not refresh the provider token.
I might be approaching OAuth API connections in a not-the-supabase-way. Please let me know if this is the case.
Thanks!
To Reproduce
Step 2:
STEP 3:
STEP 4:
getSupabase
function uses thecreateClient
function under the hood with these settings (inspired by supa-fly-stack). UsingpersistSession
true
orfalse
doesn't seem to make a difference for this issue.Expected behavior
I expect that calling
auth.refreshToken
will return a refreshed provider token. I don't care as much about the GoTrue session as I do about the Google API session.Screenshots
N/A
System information
Additional context
None.