Merge branch 'master' into fm/multigres-tests

Author: fadymak

CHANGELOG.md

@@ -1,5 +1,33 @@
 # Changelog
 
+## [2.190.0](https://github.com/supabase/auth/compare/v2.189.0...v2.190.0) (2026-06-11)
+
+
+### Features
+
+* add -failfast to make test command ([#2553](https://github.com/supabase/auth/issues/2553)) ([bec1dd0](https://github.com/supabase/auth/commit/bec1dd022c3ae7a97c70249949f40056f4c06071))
+* **conf:** add JSON config file support ([#2540](https://github.com/supabase/auth/issues/2540)) ([e63fef9](https://github.com/supabase/auth/commit/e63fef9c71a3287aee6fcc7c595ad82797e357cd))
+* create tools directory for deterministic builds ([#2522](https://github.com/supabase/auth/issues/2522)) ([52cf3d9](https://github.com/supabase/auth/commit/52cf3d9bc2b6cbd971f4c85b81cd1e9a8bf9e381))
+* **custom-oidc:** support non-standard discovery URLs ([#2573](https://github.com/supabase/auth/issues/2573)) ([3dacc64](https://github.com/supabase/auth/commit/3dacc6410202e832de2044a5dff1cc8bae8065bd))
+* fix the vulncheck-filter to parse the text format instead ([#2525](https://github.com/supabase/auth/issues/2525)) ([4136d49](https://github.com/supabase/auth/commit/4136d49ebdee4e35fb9c9713f33bd5664b959431))
+* fork github.com/joho/godotenv into internal/conf/envparse ([#2521](https://github.com/supabase/auth/issues/2521)) ([cda62a9](https://github.com/supabase/auth/commit/cda62a9c215ea1b8eb7ab281e0db549a2c9e4b46))
+
+
+### Bug Fixes
+
+* Azure issuer validation ([#2560](https://github.com/supabase/auth/issues/2560)) ([a39858b](https://github.com/supabase/auth/commit/a39858b6e9d194198005eceff9e707c0cd3118e1))
+* catch cancelation errors in bg workers & servers ([#2530](https://github.com/supabase/auth/issues/2530)) ([77f5918](https://github.com/supabase/auth/commit/77f5918c0646433e67aec9e2e560168a50d844c3))
+* check session state for admin tokens ([#2555](https://github.com/supabase/auth/issues/2555)) ([c5969ed](https://github.com/supabase/auth/commit/c5969ed897f2fefc2af386e78eb15b68b214ef0d))
+* **config:** warn on invalid WebAuthn config instead of erroring ([#2545](https://github.com/supabase/auth/issues/2545)) ([ca0b154](https://github.com/supabase/auth/commit/ca0b1547f77f5261458a6e91ca2ccb2c0e907ca7))
+* **custom-oidc:** strip trailing slashes from issuer ([#2570](https://github.com/supabase/auth/issues/2570)) ([169ad67](https://github.com/supabase/auth/commit/169ad67533ccad633d69ecb69e768888449d5090))
+* **Dockerfile:** ensure forks exists on fs before make deps ([#2567](https://github.com/supabase/auth/issues/2567)) ([01f136d](https://github.com/supabase/auth/commit/01f136de0101c40f5033958c6b50d59dd084ee45))
+* **mailer:** include SiteURL in notification template data ([#2532](https://github.com/supabase/auth/issues/2532)) ([dc015da](https://github.com/supabase/auth/commit/dc015da420a3b9255f152b9d6dd7e17718d6e550))
+* **oauth-server:** serialize concurrent authorize/consent with row-level lock ([#2512](https://github.com/supabase/auth/issues/2512)) ([c816cfe](https://github.com/supabase/auth/commit/c816cfeec75c8521f8e25260de7073c7236a9ac9))
+* **passkeys:** delete webauthn creds when user is soft-deleted ([#2564](https://github.com/supabase/auth/issues/2564)) ([7e1c060](https://github.com/supabase/auth/commit/7e1c0603cb4a1f6bf7e862a4154f558918a1a870))
+* **passkeys:** enforce AAL checks on passkey registration and deletion ([#2565](https://github.com/supabase/auth/issues/2565)) ([7e6f2e4](https://github.com/supabase/auth/commit/7e6f2e473e5d4ac8bb09bb06c55cc2ed4e20a102))
+* source WebAuthn RP config from env vars ([#2490](https://github.com/supabase/auth/issues/2490)) ([63949ca](https://github.com/supabase/auth/commit/63949cace4028679ec00192819fb66a5dc0f56f0))
+* when version is empty set to 0.0.0 ([#2531](https://github.com/supabase/auth/issues/2531)) ([a3b7c8c](https://github.com/supabase/auth/commit/a3b7c8c54d2a22bc6f9566591d94a9e07bbc7cc3))
+
 ## [2.189.0](https://github.com/supabase/auth/compare/v2.188.1...v2.189.0) (2026-04-23)
 
 

internal/api/custom_oauth_admin.go

@@ -2,12 +2,9 @@ package api
 
 import (
 	"context"
-	"encoding/json"
-	"io"
 	"net/http"
 	"slices"
 	"strings"
-	"time"
 
 	"github.com/go-chi/chi/v5"
 	popslices "github.com/gobuffalo/pop/v6/slices"
@@ -666,61 +663,34 @@ func validateAuthorizationParams(params map[string]interface{}) error {
 	return nil
 }
 
-// maxDiscoveryResponseSize is the maximum size of an OIDC discovery response body (1 MB).
-const maxDiscoveryResponseSize = 1 << 20
-
-// discoveryFetchTimeout is the timeout for fetching an OIDC discovery document.
-const discoveryFetchTimeout = 10 * time.Second
-
-// fetchAndValidateDiscovery fetches the OIDC discovery document from the
-// provider's discovery URL and validates that it contains the required fields
-// per the OpenID Connect Discovery 1.0 specification. It also verifies that
-// the issuer in the discovery document matches the expected issuer.
+// fetchAndValidateDiscovery fetches the OIDC discovery document via the shared
+// utility, then applies admin-only validation: required fields per the OpenID
+// Connect Discovery 1.0 spec must be present before we persist the document.
+// Returns *models.OIDCDiscovery so the caller can store it directly.
 func fetchAndValidateDiscovery(ctx context.Context, discoveryURL, expectedIssuer string) (*models.OIDCDiscovery, error) {
-	resp, err := utilities.FetchURLWithTimeout(ctx, discoveryURL, discoveryFetchTimeout)
+	doc, err := utilities.FetchAndValidateOIDCDiscovery(ctx, discoveryURL, expectedIssuer)
 	if err != nil {
 		return nil, apierrors.NewBadRequestError(
 			apierrors.ErrorCodeValidationFailed,
-			"Failed to fetch OIDC discovery document from %q: %v", discoveryURL, err,
-		)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, apierrors.NewBadRequestError(
-			apierrors.ErrorCodeValidationFailed,
-			"OIDC discovery endpoint %q returned HTTP %d, expected 200", discoveryURL, resp.StatusCode,
+			"OIDC discovery from %q failed: %v", discoveryURL, err,
 		)
 	}
 
-	body, err := io.ReadAll(io.LimitReader(resp.Body, maxDiscoveryResponseSize))
-	if err != nil {
-		return nil, apierrors.NewBadRequestError(
-			apierrors.ErrorCodeValidationFailed,
-			"Failed to read OIDC discovery response from %q", discoveryURL,
-		)
-	}
-
-	var discovery models.OIDCDiscovery
-	if err := json.Unmarshal(body, &discovery); err != nil {
-		return nil, apierrors.NewBadRequestError(
-			apierrors.ErrorCodeValidationFailed,
-			"OIDC discovery document from %q is not valid JSON", discoveryURL,
-		)
-	}
-
-	// Validate required fields per OpenID Connect Discovery 1.0 spec
+	// Validate required fields per OpenID Connect Discovery 1.0 spec.
+	// Stricter than the runtime path needs — runtime can tolerate missing
+	// fields and surface a less helpful error at login; admin should reject
+	// the configuration up front.
 	var missing []string
-	if discovery.Issuer == "" {
+	if doc.Issuer == "" {
 		missing = append(missing, "issuer")
 	}
-	if discovery.AuthorizationEndpoint == "" {
+	if doc.AuthorizationEndpoint == "" {
 		missing = append(missing, "authorization_endpoint")
 	}
-	if discovery.TokenEndpoint == "" {
+	if doc.TokenEndpoint == "" {
 		missing = append(missing, "token_endpoint")
 	}
-	if discovery.JwksURI == "" {
+	if doc.JwksURI == "" {
 		missing = append(missing, "jwks_uri")
 	}
 	if len(missing) > 0 {
@@ -730,16 +700,17 @@ func fetchAndValidateDiscovery(ctx context.Context, discoveryURL, expectedIssuer
 		)
 	}
 
-	// The issuer in the discovery document MUST exactly match the expected issuer
-	// per OpenID Connect Discovery 1.0, Section 4.3.
-	if discovery.Issuer != expectedIssuer {
-		return nil, apierrors.NewBadRequestError(
-			apierrors.ErrorCodeValidationFailed,
-			"OIDC discovery issuer mismatch: discovery document reports %q but expected %q", discovery.Issuer, expectedIssuer,
-		)
-	}
-
-	return &discovery, nil
+	return &models.OIDCDiscovery{
+		Issuer:                 doc.Issuer,
+		AuthorizationEndpoint:  doc.AuthorizationEndpoint,
+		TokenEndpoint:          doc.TokenEndpoint,
+		UserinfoEndpoint:       doc.UserinfoEndpoint,
+		JwksURI:                doc.JwksURI,
+		ScopesSupported:        doc.ScopesSupported,
+		ResponseTypesSupported: doc.ResponseTypesSupported,
+		GrantTypesSupported:    doc.GrantTypesSupported,
+		SubjectTypesSupported:  doc.SubjectTypesSupported,
+	}, nil
 }
 
 // validateAttributeMapping ensures no sensitive system fields are targeted

internal/api/external.go

@@ -690,8 +690,7 @@ func (a *API) loadCustomProvider(ctx context.Context, db *storage.Connection, id
 	config := a.config
 	var pConfig conf.OAuthProviderConfiguration
 
-	// Build the redirect URL
-	redirectURL := config.API.ExternalURL + "/callback"
+	redirectURL := strings.TrimRight(config.API.ExternalURL, "/") + "/callback"
 
 	// Parse scopes (space-separated per RFC 6749)
 	var scopeList []string
@@ -765,14 +764,14 @@ func (a *API) loadCustomProvider(ctx context.Context, db *storage.Connection, id
 	}
 
 	// Create custom OIDC provider instance
-	// oidc.NewProvider() will automatically fetch discovery document
 	p, err := provider.NewCustomOIDCProvider(
 		ctx,
 		customProvider.ClientID,
 		clientSecret,
 		redirectURL,
 		scopeList,
 		*customProvider.Issuer,
+		customProvider.GetDiscoveryURL(),
 		customProvider.PKCEEnabled,
 		customProvider.AcceptableClientIDs,
 		customProvider.AttributeMapping,

internal/api/provider/custom_oauth.go

@@ -110,12 +110,16 @@ type CustomOIDCProvider struct {
 	authorizationParams map[string]interface{}
 }
 
-// NewCustomOIDCProvider creates a new custom OIDC provider
+// NewCustomOIDCProvider creates a new custom OIDC provider.
+// discoveryURL is the URL to fetch the OIDC discovery document from
+// (typically {issuer}/.well-known/openid-configuration, or an admin-configured
+// override).
 func NewCustomOIDCProvider(
 	ctx context.Context,
 	clientID, clientSecret, redirectURL string,
 	scopes []string,
 	issuer string,
+	discoveryURL string,
 	pkceEnabled bool,
 	acceptableClientIDs []string,
 	attributeMapping, authorizationParams map[string]interface{},
@@ -133,8 +137,7 @@ func NewCustomOIDCProvider(
 		scopes = append([]string{"openid"}, scopes...)
 	}
 
-	// Create OIDC provider - uses cache to avoid redundant discovery fetches
-	oidcProvider, err := cache.GetProvider(ctx, issuer)
+	oidcProvider, err := cache.GetProviderFromURL(ctx, issuer, discoveryURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create OIDC provider: %w", err)
 	}

internal/api/provider/custom_oauth_test.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -274,11 +275,12 @@ func TestNewCustomOIDCProvider(t *testing.T) {
 		"https://myapp.com/callback",
 		[]string{"profile", "email"}, // Without openid
 		server.URL, // issuer
+		server.URL + "/.well-known/openid-configuration",
 		true, // PKCE enabled
 		[]string{"ios-client", "android-client"},
 		map[string]interface{}{"email": "user_email"},
 		map[string]interface{}{"prompt": "consent"},
-		NewOIDCProviderCache(0),
+		newTestOIDCProviderCache(t, 0),
 	)
 
 	require.NoError(t, err)
@@ -403,6 +405,7 @@ func TestCustomOIDCProvider_AuthCodeURL(t *testing.T) {
 		"https://myapp.com/callback",
 		[]string{"openid", "profile"},
 		server.URL, // issuer
+		server.URL + "/.well-known/openid-configuration",
 		false,
 		nil,
 		nil,
@@ -412,7 +415,7 @@ func TestCustomOIDCProvider_AuthCodeURL(t *testing.T) {
 			"ui_locales": "en",
 			"login_hint": "user@example.com",
 		},
-		NewOIDCProviderCache(0),
+		newTestOIDCProviderCache(t, 0),
 	)
 
 	require.NoError(t, err)
@@ -431,6 +434,48 @@ func TestCustomOIDCProvider_AuthCodeURL(t *testing.T) {
 	assert.Contains(t, authURL, "login_hint=user")
 }
 
+func TestNewCustomOIDCProvider_CustomDiscoveryURL(t *testing.T) {
+	var server *httptest.Server
+	server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/custom-discovery":
+			w.Header().Set("Content-Type", "application/json")
+			json.NewEncoder(w).Encode(map[string]interface{}{
+				"issuer":                 server.URL,
+				"authorization_endpoint": server.URL + "/custom-authorize",
+				"token_endpoint":         server.URL + "/custom-token",
+				"userinfo_endpoint":      server.URL + "/custom-userinfo",
+				"jwks_uri":               server.URL + "/jwks",
+			})
+		case "/jwks":
+			w.Header().Set("Content-Type", "application/json")
+			json.NewEncoder(w).Encode(map[string]interface{}{"keys": []interface{}{}})
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	p, err := NewCustomOIDCProvider(
+		context.Background(),
+		"test-client-id",
+		"test-secret",
+		"https://myapp.com/callback",
+		[]string{"openid"},
+		server.URL,
+		server.URL+"/custom-discovery",
+		false,
+		nil, nil, nil,
+		newTestOIDCProviderCache(t, time.Hour),
+	)
+	require.NoError(t, err)
+	require.NotNil(t, p)
+
+	assert.Equal(t, server.URL+"/custom-authorize", p.config.Endpoint.AuthURL)
+	assert.Equal(t, server.URL+"/custom-token", p.config.Endpoint.TokenURL)
+	assert.Equal(t, server.URL+"/custom-userinfo", p.userinfoEndpoint)
+}
+
 func TestCustomOIDCProvider_RequiresPKCE(t *testing.T) {
 	// Mock OIDC provider server
 	var server *httptest.Server
@@ -461,11 +506,12 @@ func TestCustomOIDCProvider_RequiresPKCE(t *testing.T) {
 			"https://myapp.com/callback",
 			[]string{"openid"},
 			server.URL, // issuer
+			server.URL + "/.well-known/openid-configuration",
 			true, // PKCE enabled
 			nil,
 			nil,
 			nil,
-			NewOIDCProviderCache(0),
+			newTestOIDCProviderCache(t, 0),
 		)
 
 		require.NoError(t, err)
@@ -481,11 +527,12 @@ func TestCustomOIDCProvider_RequiresPKCE(t *testing.T) {
 			"https://myapp.com/callback",
 			[]string{"openid"},
 			server.URL, // issuer
+			server.URL + "/.well-known/openid-configuration",
 			false, // PKCE disabled
 			nil,
 			nil,
 			nil,
-			NewOIDCProviderCache(0),
+			newTestOIDCProviderCache(t, 0),
 		)
 
 		require.NoError(t, err)