S
Supabase2mo ago
bryan

Get Google Scopes

Based on this: https://developers.google.com/identity/protocols/oauth2/native-app#check-granted-scopes, Google should return a "scope" field on the response to indicate which permissions the user allowed. Is there a way to receive this info after delegating the auth process through Supabase?
Google for Developers
OAuth 2.0 for iOS & Desktop Apps  |  Google for Developers
8 Replies
ihm40
ihm402mo ago
hmm, do you see any entries in auth.oauth_clients table. There is is a grant_types column which might be relevant.
bryan
bryanOP2mo ago
There are no entries in that table
ihm40
ihm402mo ago
Okay i think what is happening here is you have used the implicit flow to delegate signing up with oauth with google but you actually need to follow the pkce flow in your case as you actually probably want to interact with google services and get things like scope so it might make more sense to do the exchange of code for tokens server side where you will also get the scopes back (hopefully) https://supabase.com/docs/guides/auth/sessions/pkce-flow
PKCE flow | Supabase Docs
About authenticating with PKCE flow.
bryan
bryanOP2mo ago
I do use the PKCE flow. I set flowType to "pkce". 
return createClient<SupabaseDatabase>(url, publicKey, {
  auth: {
    storage: authStorage,
    autoRefreshToken: true,
    persistSession: true,
    detectSessionInUrl: false,
    flowType: "pkce",
  },
});
return createClient<SupabaseDatabase>(url, publicKey, {
  auth: {
    storage: authStorage,
    autoRefreshToken: true,
    persistSession: true,
    detectSessionInUrl: false,
    flowType: "pkce",
  },
});
I call: 
return await supabase.client.auth.signInWithOAuth({
  provider: "google",
  options: {
    queryParams: {
      access_type: "offline",
      prompt: "consent",
    },
    redirectTo: REGISTER_REDIRECT_URI,
    scopes: "https://www.googleapis.com/auth/gmail.readonly",
  },
});
return await supabase.client.auth.signInWithOAuth({
  provider: "google",
  options: {
    queryParams: {
      access_type: "offline",
      prompt: "consent",
    },
    redirectTo: REGISTER_REDIRECT_URI,
    scopes: "https://www.googleapis.com/auth/gmail.readonly",
  },
});
Then on my register handler, I get code from the query parameters and call: 
return await supabase.client.auth.exchangeCodeForSession(code);
return await supabase.client.auth.exchangeCodeForSession(code);
ihm40
ihm402mo ago
Ahh okay
bryan
bryanOP2mo ago
I guess I can verify the scopes by calling the Google APIs and checking the status It's a weird workaround though when using Supabase
ihm40
ihm402mo ago
yeah i think that might be the best option, this might not be all that common for pkce i.e custom selection of roles. Most providers have that 'all or nothing' approach so it might be that the level of abstraction done by 
return await supabase.client.auth.exchangeCodeForSession(code);
return await supabase.client.auth.exchangeCodeForSession(code);
is only focused on access/refresh token
inder
inder2mo ago

Did you find this page helpful?