Bug found with help from Claude Sonnet 3.6, confirmed by Gemini.
Description
The OAuth 2.1 Authorization Server feature is currently unusable on hosted Supabase projects. When initiating the authorization code flow, the server issues a 302 redirect to {SITE_URL}/oauth/consent.
However, this path is not served by the GoTrue API, nor is there a default UI deployed by the Supabase platform at that location, resulting in the error: { "error": "requested path is invalid" }.
To Reproduce
- Enable an OAuth 2.1 client (e.g., for an MCP connector) in a hosted project.
- Call the authorize endpoint:
GET https://cjwyjqklzrufnbtnzxfa.supabase.co/auth/v1/oauth/authorize?client_id=...&response_type=code&scope=openid
- The browser is redirected to
https://cjwyjqklzrufnbtnzxfa.supabase.co/oauth/consent?authorization_id=...
- The page returns a
404 or { "error": "requested path is invalid" }.
Technical Analysis
The redirect target is constructed in internal/api/oauthserver/authorize.go (lines 166–173):
baseURL := s.buildAuthorizationURL(config.SiteURL, config.OAuthServer.AuthorizationPath)
redirectURL := fmt.Sprintf("%s?authorization_id=%s", baseURL, authorization.AuthorizationID)
http.Redirect(w, r, redirectURL, http.StatusFound)On hosted projects, AuthorizationPath defaults to /oauth/consent. Because this is a headless API, GoTrue expects a frontend to handle the UI at that path.
The Gap: The platform does not serve a default consent page, and the GOTRUE_OAUTH_SERVER_AUTHORIZATION_PATH environment variable is not exposed in the Dashboard. This prevents developers from pointing the redirect to a custom Edge Function or branded UI.
Documentation Discrepancy
Recent documentation (Feb 2026) suggests that an "Authorization Path" setting should exist under Authentication > OAuth Server, but this field is currently missing/hidden in project cjwyjqklzrufnbtnzxfa (Region: sa-east-1).
Expected Behavior
- The Authorization Path configuration should be exposed in the Dashboard to allow custom consent URIs.
- Alternatively, an absolute URL should be supported for
AuthorizationPath to allow redirects to Edge Functions without misconfiguring the project's global SiteURL.
System Info
- Project Ref:
cjwyjqklzrufnbtnzxfa
- Region:
sa-east-1
- Date/Time: 2026-03-06 (UTC-3)
- Use Case: Internal ChatGPT MCP Connector (Branded UI required).
Bug found with help from Claude Sonnet 3.6, confirmed by Gemini.
Description
The OAuth 2.1 Authorization Server feature is currently unusable on hosted Supabase projects. When initiating the authorization code flow, the server issues a
302redirect to{SITE_URL}/oauth/consent.However, this path is not served by the GoTrue API, nor is there a default UI deployed by the Supabase platform at that location, resulting in the error:
{ "error": "requested path is invalid" }.To Reproduce
GET https://cjwyjqklzrufnbtnzxfa.supabase.co/auth/v1/oauth/authorize?client_id=...&response_type=code&scope=openidhttps://cjwyjqklzrufnbtnzxfa.supabase.co/oauth/consent?authorization_id=...404or{ "error": "requested path is invalid" }.Technical Analysis
The redirect target is constructed in
internal/api/oauthserver/authorize.go(lines 166–173):On hosted projects,
AuthorizationPathdefaults to/oauth/consent. Because this is a headless API, GoTrue expects a frontend to handle the UI at that path.The Gap: The platform does not serve a default consent page, and the
GOTRUE_OAUTH_SERVER_AUTHORIZATION_PATHenvironment variable is not exposed in the Dashboard. This prevents developers from pointing the redirect to a custom Edge Function or branded UI.Documentation Discrepancy
Recent documentation (Feb 2026) suggests that an "Authorization Path" setting should exist under Authentication > OAuth Server, but this field is currently missing/hidden in project
cjwyjqklzrufnbtnzxfa(Region:sa-east-1).Expected Behavior
AuthorizationPathto allow redirects to Edge Functions without misconfiguring the project's globalSiteURL.System Info
cjwyjqklzrufnbtnzxfasa-east-1