Also known as: OAuth 2.1, social login, federated authentication
Definition
OAuth is an open standard for delegated authorization, used in Supabase apps as federated sign-in via providers like Google, GitHub, and Apple. The user authenticates with the provider, the provider returns an authorization code to a callback route, and the server exchanges the code for a Supabase session via PKCE.
OAuth lets a user prove their identity using an existing account at a trusted provider. The Supabase client calls signInWithOAuth({ provider: 'google' }), which redirects to Google. Google authenticates the user, then redirects back to a callback route on your app with an authorization code. Your callback exchanges that code for a Supabase session.
Three rules. First, configure the dashboard's Redirect URLs allowlist to exact paths in production, not ** wildcards. Second, validate any next query parameter the callback uses for post-auth redirects: it must start with a single / and never with // (which browsers interpret as protocol-relative). Third, fail closed on PKCE exchange errors. Never let the redirect proceed if the code exchange threw.
A Server Action calls signInWithOAuth, the user lands on the provider, the provider redirects to /auth/callback?code=..., and a Route Handler calls exchangeCodeForSession(code). The handler sets httpOnly session cookies via @supabase/ssr and redirects the user to their dashboard.