Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github App Installations #584

Open
saddam-azad opened this issue Jun 10, 2023 · 13 comments
Open

Github App Installations #584

saddam-azad opened this issue Jun 10, 2023 · 13 comments
Labels
bug Something isn't working

Comments

@saddam-azad
Copy link

Describe the bug

We are using a Github App (as opposed to Github OAuth App) as the Client ID in Supabase Auth. Supabase handles normal user authentication as expected: The App is installed on the User account successfully.

However, if we attempt to add new installations of the App on more User/Org accounts, Supabase is unable to handle App installations.

To Reproduce

  1. Create a Github App and a Supabase project
  2. Use Github as provider for Supabase Auth; Use Github App Client ID
  3. Attempt to create new app installation

Here is the workflow:

  1. The user clicks on a button that should take them to the following URL:
    https://github.com/apps/<APP>/installations/new

  2. The user selects an account or organization and proceeds to install the GitHub App.

  3. After the installation is completed, GitHub redirects the user to the Redirect URL:
    https://<PROJECT>.supabase.co/auth/v1/callback?code=<CODE>&installation_id=<ID>&setup_action=install

  4. Error: 400 "OAuth state parameter missing"

Expected behavior

Supabase should redirect the user back to the app with a refreshed token.

System information

  • OS: Windows 11
  • Version of supabase-js: 2.24.0
  • Version of Node.js: v18.13.0
@saddam-azad saddam-azad added the bug Something isn't working label Jun 10, 2023
@saddam-azad
Copy link
Author

saddam-azad commented Jun 10, 2023
edited
Loading

Take 2

  1. Generated nanoid and sent ?state parameter with initial query
    https://github.com/apps/<APP>/installations/new?state=<NANOID>

  2. On success, Github sends browser to:
    https://<PROJECT>.supabase.co/auth/v1/callback?code=<CODE>&installation_id=<ID>&setup_action=install&state=<NANOID>

  3. This is what happens on Supabase end:
    { "code":400, "msg":"OAuth state is invalid: token contains an invalid number of segments" }

What is the expected format of the state?

@silentworks
Copy link
Contributor

I've just been able to test this now and I'm not getting any of the errors you are getting. Do note you need to enable the email addresses permission when setting this up. I've attached a video showing this working with my application.

Kapture.2023-09-04.at.13.44.53.mp4
Screenshot 2023-09-04 at 13 35 00

@yojindo
Copy link

yojindo commented Sep 8, 2023

I'm having the same exact issue as well, but despite turning on the email address access, I'm still receiving the same issue.

@gabriel-pineda
Copy link

I am also getting the same issue.
@silentworks perhaps this can be reopened.

Your video showed the flow where users login through the app.
The issue/error above happens when the user installs the app from Github itself.

@silentworks
Copy link
Contributor

@gabriel-pineda You will need to provide me with steps for that please and it would be good to provide an app that works with the flow you are mentioning so I can understand it better.

@gabriel-pineda
Copy link

gabriel-pineda commented Sep 16, 2023
edited
Loading

@saddam-azad outlined it perfectly above, but i can supply you with a video:

supabase-auth-bug.mov

this flow started from clicking on "Install App" from the Github App page.

whereas in your video, you installed the App on your website. Installing the app via the website works fine, the problem lies on installing the app from Github App page (and possibly even in github app marketplace)

Edit: might also be related to this:https://github.com/orgs/supabase/discussions/397#discussioncomment-396221

@silentworks
Copy link
Contributor

@gabriel-pineda I was asking for an app that actually works with this flow, not one that doesn't work (in the case of your supabase app). I need to see the flow working to understand better what is supposed to happen, so please link to any other GitHub App that you know of that works as expected.

@saddam-azad
Copy link
Author

saddam-azad commented Sep 21, 2023
edited
Loading

@silentworks, appears there is some confusion regarding what is happening. Allow me to break this down:

1. Supabase Github OAuth Flow:

- Uses Github OAuth App
- Installs the OAuth App on the User's Account

i.e. User clicks on Login (using Supabase client-side handler)
The User is taken to https://github.com/login/oauth/authorize?client_id=<APP_ID>,
User installs the app,
User is redirected to Supabase Redirect URL (auth/v1/callback)
which then redirects User back to the Client with token.

Supabase works as expected.

Edit: The OAuth Flow works seamlessly with a Github App too, as you have shown in your video.

2. Github App Installation Flow:

- Uses Github App (which is distinct from Github OAuth App)
- Not installed on a User Account - instead it manages `installations` on multiple Accounts
- Each installation has a unique ID.

i.e. User goes to https://github.com/apps/<APP_ID>/installations/new,

This flow only takes place when a) You try to install a Github App from Marketplace, or b) The Client sends User to this URL on purpose.

User creates a new installation on one of their accounts (Personal or Org)

Github redirects the User to Supabase Redirect URL such as:
/auth/v1/callback?code=<CODE>&installation_id=<ID>&setup_action=install&state=<STATE>

The installation flow sends installation_id and setup_action=install as unique query parameters along with state. Supabase is unable to handle this request because this was never considered a use-case.

As you can see, the Github App Installation Flow is different from Github OAuth Flow. I hope this clarifies the issue. This thread can be tagged as a Feature Request, not a bug.

@silentworks
Copy link
Contributor

@saddam-azad I don't think you read my message correctly. What I am asking for is an example app (not Supabase app) that has this flow working so I can see what is expected to happen. Describing to me what's happening without me being able to test it makes it kinda hard for me to work out what's causing the issue as this might be more of a GoTrue issue than the auth-helpers itself.

@saddam-azad
Copy link
Author

@silentworks Try out nuxt.studio. Create an account and import a project from Github. There is a working Github App Installation Flow.

@silentworks
Copy link
Contributor

Thanks for the link @saddam-azad, I'm going to re-open this issue until I test nuxt.studio and see how the flow work to further finding a fix for the issue.

@silentworks silentworks reopened this Oct 5, 2023
@rafaelmotta
Copy link

@saddam-azad have you figured out this? I'm also facing the same problem

@horlah
Copy link

horlah commented Feb 2, 2024

I found the fix, uncheck the "Request user authorization (OAuth) during installation" checkbox below the "Callback URL" input and add the callback URL for your Github App installation redirect to the "Setup URL (optional)" input field in the "Post installation" section.

So you don't have your Github App redirecting to Supabase Auth callback

Screenshot 2024-02-01 at 8 16 45 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@silentworks @saddam-azad @rafaelmotta @horlah @yojindo @gabriel-pineda