Supabase Self-Service and Consent Server

This application implements the OAuth 2.1 consent screen for a Supabase Auth server. When a third-party application requests access to a user's account, Supabase Auth redirects here so the user can review and approve or deny the request.

How it works

A third-party app redirects the user to your Supabase Auth/authorizeendpoint.
Supabase Auth validates the OAuth parameters and redirects to/oauth/consent?authorization_id=...on this server.
If the user is not logged in, they are sent to/loginfirst, then redirected back.
The consent screen displays the requesting client's name, redirect URI, and requested scopes.
The user approves or denies. The decision is sent back to Supabase Auth, which redirects the user to the third-party app with an authorization code or an error.

Configuration

Enable the OAuth server in your Supabase config:

[auth.oauth_server]
enabled = true
authorization_url_path = "/oauth/consent"
allow_dynamic_registration = false

Then, in Auth → URL Configurationin your Supabase project, add this server's OAuth callback to the Redirect URLs allowlist (one entry per environment):

https://<your-host>/auth/callback
http://localhost:3000/auth/callback

Without this, Supabase will silently fall back to its Site URL after social login and the user will land on the wrong host.

Reverse proxy

When hosting behind nginx, raise the upstream response-header buffers. Supabase chunks the session JWT into multiple Set-Cookie headers on/auth/callback, which can overflow the default 4 KB buffer and produce upstream sent too big header 502s. In your server or location block:

proxy_buffer_size       16k;
proxy_buffers           8 16k;
proxy_busy_buffers_size 32k;

Endpoints

Path	Purpose
/oauth/consent	Consent screen shown to the user
/login	Authentication page for unauthenticated users
/auth/callback	Exchanges the OAuth code for a session after social login
/account	Account overview where users manage linked sign-in providers
/docs	This page