@supabase/gotrue-js 2.98.0 → 2.98.1-canary.0

package/src/lib/types.ts

@@ -1774,6 +1774,255 @@ export interface GoTrueAdminOAuthApi {
   regenerateClientSecret(clientId: string): Promise<OAuthClientResponse>
 }
 
+/**
+ * Type of custom identity provider.
+ */
+export type CustomProviderType = 'oauth2' | 'oidc'
+
+/**
+ * OIDC discovery document fields.
+ * Populated when the server successfully fetches and validates the
+ * provider's OpenID Connect discovery document.
+ */
+export type OIDCDiscoveryDocument = {
+  /** The issuer identifier */
+  issuer: string
+  /** URL of the authorization endpoint */
+  authorization_endpoint: string
+  /** URL of the token endpoint */
+  token_endpoint: string
+  /** URL of the JSON Web Key Set */
+  jwks_uri: string
+  /** URL of the userinfo endpoint */
+  userinfo_endpoint?: string
+  /** URL of the revocation endpoint */
+  revocation_endpoint?: string
+  /** List of supported scopes */
+  supported_scopes?: string[]
+  /** List of supported response types */
+  supported_response_types?: string[]
+  /** List of supported subject types */
+  supported_subject_types?: string[]
+  /** List of supported ID token signing algorithms */
+  supported_id_token_signing_algs?: string[]
+}
+
+/**
+ * Custom OAuth/OIDC provider object returned from the admin API.
+ */
+export type CustomOAuthProvider = {
+  /** Unique identifier (UUID) */
+  id: string
+  /** Provider type */
+  provider_type: CustomProviderType
+  /** Provider identifier (e.g. `custom:mycompany`) */
+  identifier: string
+  /** Human-readable name */
+  name: string
+  /** OAuth client ID */
+  client_id: string
+  /** Additional client IDs accepted during token validation */
+  acceptable_client_ids?: string[]
+  /** OAuth scopes requested during authorization */
+  scopes?: string[]
+  /** Whether PKCE is enabled */
+  pkce_enabled?: boolean
+  /** Mapping of provider attributes to Supabase user attributes */
+  attribute_mapping?: Record<string, any>
+  /** Additional parameters sent with the authorization request */
+  authorization_params?: Record<string, string>
+  /** Whether the provider is enabled */
+  enabled?: boolean
+  /** Whether email is optional for this provider */
+  email_optional?: boolean
+  /** OIDC issuer URL */
+  issuer?: string
+  /** OIDC discovery URL */
+  discovery_url?: string
+  /** Whether to skip nonce check (OIDC) */
+  skip_nonce_check?: boolean
+  /** OAuth2 authorization URL */
+  authorization_url?: string
+  /** OAuth2 token URL */
+  token_url?: string
+  /** OAuth2 userinfo URL */
+  userinfo_url?: string
+  /** JWKS URI for token verification */
+  jwks_uri?: string
+  /** OIDC discovery document (OIDC providers only) */
+  discovery_document?: OIDCDiscoveryDocument | null
+  /** Timestamp when the provider was created */
+  created_at: string
+  /** Timestamp when the provider was last updated */
+  updated_at: string
+}
+
+/**
+ * Parameters for creating a new custom provider.
+ */
+export type CreateCustomProviderParams = {
+  /** Provider type */
+  provider_type: CustomProviderType
+  /** Provider identifier (e.g. `custom:mycompany`) */
+  identifier: string
+  /** Human-readable name */
+  name: string
+  /** OAuth client ID */
+  client_id: string
+  /** OAuth client secret (write-only, not returned in responses) */
+  client_secret: string
+  /** Additional client IDs accepted during token validation */
+  acceptable_client_ids?: string[]
+  /** OAuth scopes requested during authorization */
+  scopes?: string[]
+  /** Whether PKCE is enabled */
+  pkce_enabled?: boolean
+  /** Mapping of provider attributes to Supabase user attributes */
+  attribute_mapping?: Record<string, any>
+  /** Additional parameters sent with the authorization request */
+  authorization_params?: Record<string, string>
+  /** Whether the provider is enabled */
+  enabled?: boolean
+  /** Whether email is optional for this provider */
+  email_optional?: boolean
+  /** OIDC issuer URL */
+  issuer?: string
+  /** OIDC discovery URL */
+  discovery_url?: string
+  /** Whether to skip nonce check (OIDC) */
+  skip_nonce_check?: boolean
+  /** OAuth2 authorization URL */
+  authorization_url?: string
+  /** OAuth2 token URL */
+  token_url?: string
+  /** OAuth2 userinfo URL */
+  userinfo_url?: string
+  /** JWKS URI for token verification */
+  jwks_uri?: string
+}
+
+/**
+ * Parameters for updating an existing custom provider.
+ * All fields are optional. Only provided fields will be updated.
+ * `provider_type` and `identifier` are immutable and cannot be changed.
+ */
+export type UpdateCustomProviderParams = {
+  /** Human-readable name */
+  name?: string
+  /** OAuth client ID */
+  client_id?: string
+  /** OAuth client secret (write-only, not returned in responses) */
+  client_secret?: string
+  /** Additional client IDs accepted during token validation */
+  acceptable_client_ids?: string[]
+  /** OAuth scopes requested during authorization */
+  scopes?: string[]
+  /** Whether PKCE is enabled */
+  pkce_enabled?: boolean
+  /** Mapping of provider attributes to Supabase user attributes */
+  attribute_mapping?: Record<string, any>
+  /** Additional parameters sent with the authorization request */
+  authorization_params?: Record<string, string>
+  /** Whether the provider is enabled */
+  enabled?: boolean
+  /** Whether email is optional for this provider */
+  email_optional?: boolean
+  /** OIDC issuer URL */
+  issuer?: string
+  /** OIDC discovery URL */
+  discovery_url?: string
+  /** Whether to skip nonce check (OIDC) */
+  skip_nonce_check?: boolean
+  /** OAuth2 authorization URL */
+  authorization_url?: string
+  /** OAuth2 token URL */
+  token_url?: string
+  /** OAuth2 userinfo URL */
+  userinfo_url?: string
+  /** JWKS URI for token verification */
+  jwks_uri?: string
+}
+
+/**
+ * Parameters for listing custom providers.
+ */
+export type ListCustomProvidersParams = {
+  /** Filter by provider type */
+  type?: CustomProviderType
+}
+
+/**
+ * Response type for custom provider operations.
+ */
+export type CustomProviderResponse = RequestResult<CustomOAuthProvider>
+
+/**
+ * Response type for listing custom providers.
+ */
+export type CustomProviderListResponse =
+  | {
+      data: { providers: CustomOAuthProvider[] }
+      error: null
+    }
+  | {
+      data: { providers: [] }
+      error: AuthError
+    }
+
+/**
+ * Contains all custom OIDC/OAuth provider administration methods.
+ */
+export interface GoTrueAdminCustomProvidersApi {
+  /**
+   * Lists all custom providers with optional type filter.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  listProviders(params?: ListCustomProvidersParams): Promise<CustomProviderListResponse>
+
+  /**
+   * Creates a new custom OIDC/OAuth provider.
+   *
+   * For OIDC providers, the server fetches and validates the OpenID Connect discovery document
+   * from the issuer's well-known endpoint (or the provided `discovery_url`) at creation time.
+   * This may return a validation error (`error_code: "validation_failed"`) if the discovery
+   * document is unreachable, not valid JSON, missing required fields, or if the issuer
+   * in the document does not match the expected issuer.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  createProvider(params: CreateCustomProviderParams): Promise<CustomProviderResponse>
+
+  /**
+   * Gets details of a specific custom provider by identifier.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  getProvider(identifier: string): Promise<CustomProviderResponse>
+
+  /**
+   * Updates an existing custom provider.
+   *
+   * When `issuer` or `discovery_url` is changed on an OIDC provider, the server re-fetches and
+   * validates the discovery document before persisting. This may return a validation error
+   * (`error_code: "validation_failed"`) if the discovery document is unreachable, invalid, or
+   * the issuer does not match.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  updateProvider(
+    identifier: string,
+    params: UpdateCustomProviderParams
+  ): Promise<CustomProviderResponse>
+
+  /**
+   * Deletes a custom provider.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  deleteProvider(identifier: string): Promise<{ data: null; error: AuthError | null }>
+}
+
 /**
  * OAuth client details in an authorization request.
  * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.

package/src/lib/version.ts

@@ -4,4 +4,4 @@
 // - Debugging and support (identifying which version is running)
 // - Telemetry and logging (version reporting in errors/analytics)
 // - Ensuring build artifacts match the published package version
-export const version = '2.98.0'
+export const version = '2.98.1-canary.0'