[Bug]: 400: OAuth state parameter missing

[Appfinity-development]

General Info

• I checked for similar bug report
• I am using the latest version
• I checked the troubleshooting page for similar problems

Version(s)

3.0.3

Kotlin Target(s) and their respective versions

Android 10 and up

What happened? (include your code)

import io.github.jan.supabase.auth.providers.Azure  


  private suspend fun loginWithMicrosoft(): AuthInfo? {
        return suspendCancellableCoroutine { continuation ->
            scope.launch {
                
                val scopes = listOf("User.Read", "email", "openid", "profile") 

                Azure.login(
                    supabaseClient = supabaseClient,
                    redirectUrl = REDIRECT_URL,
                    onSuccess = { userSession: UserSession ->
                        continuation.resumeIfActive(userSession.mapToAuthInfo())
                    },
                    config = {
                        scopes.forEach { this.scopes.add(it) }
                    }
                )
            }
        }
    }

This opens the external default browser app, but I'm getting this error:

400: OAuth state parameter missing in the Supabase log. I double checked all the values (client id, secret, redirect uri). They are all correct. We also have a native iOS app that uses the Supabase-swift SDK and connects to the same Supabase project without issue. Is this a known issue for Android? Would also be nice if there was an onError callback in this function. In the SDK code I'm seeing an error is just thrown.

Edit: Maybe due to Azure requiring OAuth 2.0? See issue here: https://github.com/orgs/supabase/discussions/2961#discussioncomment-8267427

Steps To Reproduce (optional)

No response

Relevant log output (optional)

[jan-tennert]

Is there a reason, you are using Azure.login directly instead of supabase.auth.signInWith(Azure)? And are you using a self-hosted instance?

[jan-tennert]

Also this method isn't supposed to be used directly, this is why there is only a onSuccess parameter.

[Appfinity-development]

Just tried with

   supabaseClient.auth.signInWith(Azure, redirectUrl = REDIRECT_URL) {
                    scopes.forEach { this.scopes.add(it) }
                }

But same error '400: OAuth state parameter missing' happens. Also I would expect this function to return the result of the sign in request. Not throw various errors and potentially crash the whole app. A failed sign in request is not really that critical that the whole app needs to be shutdown, in my opinion at least.

Any idea what this could be? Also tried including a 'state' parameter with an UUID appended to the URL, but to no avail. It's not self-hosted. Just a regular Supabase project with Azure authentication setup. The iOS equivalent app (with Supabase Swift SDK) does work so this is why im looking into the Android SDK code.

[jan-tennert]

Also I would expect this function to return the result of the sign in request.

The Auth plugin is not a raw request-response client. When you sign in, the Auth plugin loads in the session and provides it via Auth#sessionStatus or Auth#currentSessionOrNull() for the dev and other plugins. Refreshes and storage management are done automatically.
But the signIn method does not return the session because on other platforms like Android, the response may not be immediate and rather handled via deeplinks.
Which is the case for OAuth on Android

Not throw various errors and potentially crash the whole app. A failed sign in request is not really that critical that the whole app needs to be shutdown, in my opinion at least.

supabase-kt uses the standard exception approach, where you use try-catch for exceptions. The documentation clearly states which exceptions are possibly thrown:

supabase-kt/Auth/src/commonMain/kotlin/io/github/jan/supabase/auth/Auth.kt

Lines 129 to 132 in 0694b70

	* @throws RestException or one of its subclasses if receiving an error response. If the error response contains a error code, an [AuthRestException] will be thrown which can be used to easier identify the problem.
	* @throws HttpRequestTimeoutException if the request timed out
	* @throws HttpRequestException on network related issues
	*/

Callbacks are generally rarely used in this library.

Edit: Maybe due to Azure requiring OAuth 2.0?

If Azure OAuth works on iOS, that shouldn't be an issue? Can you share the URLs opened in the Browser for Android and iOS? Or everything after https://id.supabase.co/.... Would be great to compare

[Appfinity-development]

For iOS its a bit different since it's a multiplatform app that also supports MacOS. The webview there opens this url:

"https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=\(clientId)&response_type=code&redirect_uri=\(redirectUri)&scope=\(encodedScope)&prompt=select_account"

and the redirectUri value is: "msauth.[app.package.example]://auth"

After successful authorisation inside the iOS webview an authorisation code is returned by the webview callback which is then used to make an API call and get an access_token and id_token from the Azure API. The id_token is then used with the Supabase Swift SDK and calls:

let credential = OpenIDConnectCredentials(provider: authInfo.getSupabaseProvider(), idToken: authInfo.getIdToken())
let session = try await sb().auth.signInWithIdToken(credentials: credential)

Should I modify the Android code to this? I was hoping for a more plug and play solution.

[jan-tennert]

No, OAuth with deeplinks should be fine, just to verify, you followed this guide?