Updating @supabase/auth-helpers-nextjs from 0.6.1 to 0.7.0 breaks SAML Auth Supabase #help-and-questions

Updating @supabase/auth-helpers-nextjs from 0.6.1 ...

Razoth

05/26/2023, 10:00 AM

i still use the pages directory but i tried it with the app directory too (everything like it's on the docs) if i use the new "createPagesBrowserClient" on the pages directory version of the app i get some SameSite Policy warning about the refresh and token cookie. if i try to login the application logs into MS active directory, i get back to localhost with the token in the url and its valid. the client doesn't seem to be able set the auth cookie, nor changes the state. i tripple checked all callback url's, its all fine if i reverse to 0.6.1. i don't know what kind of information you need, since i don't get an error on either the client nor server side. it just doesn't login.

silentworks

05/26/2023, 10:07 AM

Rollback to

0.6.1

for now, we thought we covered all bases and this release wouldn't have been a breaking change but it turns out it is since we moved from

implicit

pkce

auth flow. We are writing some migration guides at the moment.

silentworks

05/26/2023, 10:07 AM

Basically your

callback

url will need to change slightly to accomodate

pkce

Razoth

05/26/2023, 10:31 AM

I did already. Thank you. I will wait

silentworks

05/26/2023, 10:32 AM

Are you using app dir or pages?

Razoth

05/26/2023, 10:39 AM

pages currently, will switch to app directory in the future probably, when more design libs are supporting it. slightly longer explanation: i migrated everything to app dir yesterday to test it, had the auth issue, and searched for like 2 h if i've done something wrong, today i was moving to release a beta version of the pages version and updated all npm packages to the latest supported versions, had the same issue as on the app directory, rolled back to 0.6.1 and it started working again and here i am reporting this bug.

Razoth

05/26/2023, 10:39 AM

client side on the app directory tho

silentworks

05/26/2023, 10:42 AM

Ok thanks for reporting.

silentworks

05/26/2023, 2:08 PM

We've added a migration guide to the guides explaining what you need to do for the update to work https://supabase.com/docs/guides/auth/auth-helpers/nextjs-pages#migrating-to-v07x

Razoth

05/26/2023, 9:24 PM

thanks, i will check it out next time i'm working again. i really have to stop spending so much time on this without getting paid 😄

Razoth

05/27/2023, 3:03 PM

@silentworks i got another issue, i get the token back to the callback function with this

Copy code

http://localhost:3000/api/auth/callback#access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiO.....

which doesn't relate to

Copy code

const { code } = req.query

Razoth

05/27/2023, 3:04 PM

i did the callback stuff the last time i tried too, that was probably the main issue

Razoth

05/27/2023, 3:34 PM

afaik there is no way of getting the stuff after # on an api route.

Razoth

05/27/2023, 3:35 PM

i can get it on a normal route ofc, but no idea how that would work with

Copy code

supabaseClient.auth.exchangeCodeForSession()

silentworks

05/27/2023, 3:36 PM

You are mixing PKCE flow with implicit flow. This means you aren’t using the latest auth-helpers to handle authentication

Razoth

05/27/2023, 3:53 PM

now i'm completly confused. i updated the packages to

Copy code

"@supabase/auth-helpers-nextjs": "^0.7.0",
    "@supabase/auth-helpers-react": "^0.4.0",

deleted the node_modules and .next folder, installed everything with pnpm, and yeah, i'm at this point now. updated the functions, reconfigured the redirect url's too ofc.

Razoth

05/27/2023, 4:18 PM

short question short: how do i change the flow to pkce?

silentworks

05/27/2023, 4:23 PM

It’s does so automatically with the latest auth-helpers. There isn’t anything you need to do.

Razoth

05/27/2023, 4:24 PM

do i need to to change something on azure's site?

silentworks

05/27/2023, 4:25 PM

No this wouldn’t have anything to do with Azure at all.

silentworks

05/27/2023, 4:28 PM

My guess would be that you are making the auth call with

@supabasse/supabase-js

rather than

@supabase/auth-helpers-nextjs

silentworks

05/27/2023, 4:31 PM

Are you testing against a hosted project or a local project?

Razoth

05/27/2023, 4:45 PM

local project.

Razoth

05/27/2023, 4:51 PM

i have 1 place where i initialize the supabase client, in a supabase-browser.ts file in a util directory.

Copy code

js
import { createPagesBrowserClient } from "@supabase/auth-helpers-nextjs";

export const supabaseBrowserClient = createPagesBrowserClient();

so i don't get some confusion with browser or server client.

Razoth

05/27/2023, 4:51 PM

and i use it everywhere, exept the callback.ts file, there its the server client ofc ^^

Razoth

05/27/2023, 4:52 PM

i don't even have @supabasse/supabase-js installed.

silentworks

05/27/2023, 4:53 PM

That is very weird. Please open a support ticket so we can check and be sure PKCE was enabled on your project. We did upgrade all project’s GoTrue to the latest which has PKCE but maybe we missed yours somehow.

Razoth

05/27/2023, 4:57 PM

ahhhhhh it could actually be, i asked support to enable pkce early, but i never followed up on it since i had very limited time. maybe there was something set that the batch update didn't catch.

Razoth

05/27/2023, 4:57 PM

eh, can i link to this topic or something, or explain everything again? 😄

silentworks

05/27/2023, 4:59 PM

Just mention the relevant bits like you are still seeing the

implicit

flow even though you are using the latest

@supabase/auth-helpers-nextjs

which uses the

pkce

flow by default.

silentworks

05/27/2023, 4:59 PM

Let me know when you've done that and I will add further notes on the ticket you open.

Razoth

05/27/2023, 5:12 PM

@silentworks send. thanks for your help.

silentworks

05/27/2023, 5:18 PM

Ok I've seen the ticket, thank you.

Previous Next