search

supabase / supabase-js

An isomorphic Javascript client for Supabase. Query your Supabase database, subscribe to realtime events, upload and download files, browse typescript examples, invoke postgres functions via rpc, invoke supabase edge functions, query pgvector.
https://supabase.com
MIT License
2.86k stars 220 forks source link

Google OAuth refresh session not works #934

Closed oleggrishechkin closed 4 months ago

oleggrishechkin commented 4 months ago

Bug report

Describe the bug

I'm trying to setup Google OAuth in my application. When token is expired, session make a refresh. But after refresh provder_token and provider_refresh_token are missed.

To sign in I'm using this code:

await supabase.auth.signInWithOAuth({
        provider: 'google',
        options: {
            queryParams: {
                access_type: 'offline',
                prompt: 'consent',
            },
            scopes: 'https://www.googleapis.com/auth/drive.file',
        },
    });

Also if I call signInWithOAuth without prompt: 'consent', I get provider_refresh_token: undefined in session object (which is also incorrect behaviour).

To Reproduce

  1. Setup Login with Google
  2. Call 
    await supabase.auth.signInWithOAuth({
    provider: 'google',
    options: {
        queryParams: {
            access_type: 'offline',
            prompt: 'consent',
        },
        scopes: 'https://www.googleapis.com/auth/drive.file',
    },
});
  3. Wait for token expiration.
  4. Check session refresh via onAuthStateChange. See no provider_token and provider_refresh_token in session object.

Expected behavior

Session should be refreshed correctly, provider_token and provider_refresh_token should be in session object after refresh.

System information

Additional context

It can be some Google OAuth limitation, so if it is I think it can be good to notice about it at Login with Google.

Also I run code at localhost.

oleggrishechkin commented 4 months ago

Related https://github.com/supabase/gotrue-js/issues/131

j4w8n commented 4 months ago

Supabase does not track the provider tokens. After the initial user login, you need to store these on your own.

oleggrishechkin commented 4 months ago

Supabase does not track the provider tokens. After the initial user login, you need to store these on your own.

Thank you for reply. I think you can close this issue.

Will be good to have possibility to refresh token by supabase api since client_secret is required to refresh.

j4w8n commented 4 months ago

Supabase does not track the provider tokens. After the initial user login, you need to store these on your own.

Thank you for reply. I think you can close this issue.

Will be good to have possibility to refresh token by supabase api since client_secret is required to refresh.

I'm not able to close, but I think you can.