X/Twitter OAuth 2.0 fails with 400 - Supabase sending invalid users.email scope
authX/Twitter OAuth 2.0 authentication fails with "Something went wrong" error from Twitter. Similar to help-and-questionsX OAuth 2.0 - "Something Went Wrong" - Shown after following Supabase authorize url issue, I am able to sign in on local host and authorize but then get rejected with 400.
Supabase is sending
The OAuth URL Supabase generates:
Browser console shows:
GET /i/api/2/oauth2/authorize?...&scope=users.email%20tweet.read...
[HTTP/2 400 82ms]
X returns: "Something went wrong. You weren't able to give access to the App."
According to Twitter's OAuth 2.0 documentation, valid scopes are:
-
-
-
-
-
I don't think the
Code:
None of these prevent Supabase from sending the users.email scope:
1. Toggled "Allow users without an email" OFF and back ON
2. Explicitly set custom scopes in code - Supabase appends them to defaults
3. Removed custom scopes entirely
4. Disabled and re-enabled the X provider
5. Created new Twitter OAuth app with fresh credentials
Supabase successfully redirects (302), but Twitter rejects the request (400):
{
"msg": "Redirecting to external provider",
"provider": "x",
"status": "302"
}
GitHub issue #41705 describes a separate redirectTo bug with X OAuth.
Is there a way to configure the X provider to not send the users.email scope?
Supabase is sending
users.emailThe OAuth URL Supabase generates:
Browser console shows:
GET /i/api/2/oauth2/authorize?...&scope=users.email%20tweet.read...
[HTTP/2 400 82ms]
X returns: "Something went wrong. You weren't able to give access to the App."
According to Twitter's OAuth 2.0 documentation, valid scopes are:
-
tweet.readtweet.write-
users.read-
follows.readfollows.write-
offline.access-
like.readlike.writeI don't think the
users.emailCode:
None of these prevent Supabase from sending the users.email scope:
1. Toggled "Allow users without an email" OFF and back ON
2. Explicitly set custom scopes in code - Supabase appends them to defaults
3. Removed custom scopes entirely
4. Disabled and re-enabled the X provider
5. Created new Twitter OAuth app with fresh credentials
Supabase successfully redirects (302), but Twitter rejects the request (400):
{
"msg": "Redirecting to external provider",
"provider": "x",
"status": "302"
}
GitHub issue #41705 describes a separate redirectTo bug with X OAuth.
Is there a way to configure the X provider to not send the users.email scope?
GitHub
Bug report I confirm this is a bug with Supabase, not with my own application. I confirm I have searched the Docs, GitHub Discussions, and Discord. Describe the bug In Next.js when using signInWith...
