Auth

OAuth with PKCE flow for SSR

Learn how to configure OAuth authentication in your server-side rendering (SSR) application to work with the PKCE flow.

Setting up SSR client

Check out our guide for creating a client to learn how to install the necessary packages, declare environment variables, and create a Supabase client configured for SSR in your framework.

Create API endpoint for handling the code exchange

In order to use OAuth we will need to setup a endpoint for the code exchange, to exchange an auth code for the user's session, which is set as a cookie for future requests made to Supabase.

Create a new file at app/auth/callback/route.ts and populate with the following:

app/auth/callback/route.ts

_38
import { cookies } from 'next/headers'
_38
import { NextResponse } from 'next/server'
_38
import { type CookieOptions, createServerClient } from '@supabase/ssr'
_38
_38
export async function GET(request: Request) {
_38
const { searchParams, origin } = new URL(request.url)
_38
const code = searchParams.get('code')
_38
// if "next" is in param, use it as the redirect URL
_38
const next = searchParams.get('next') ?? '/'
_38
_38
if (code) {
_38
const cookieStore = cookies()
_38
const supabase = createServerClient(
_38
process.env.NEXT_PUBLIC_SUPABASE_URL!,
_38
process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
_38
{
_38
cookies: {
_38
get(name: string) {
_38
return cookieStore.get(name)?.value
_38
},
_38
set(name: string, value: string, options: CookieOptions) {
_38
cookieStore.set({ name, value, ...options })
_38
},
_38
remove(name: string, options: CookieOptions) {
_38
cookieStore.delete({ name, ...options })
_38
},
_38
},
_38
}
_38
)
_38
const { error } = await supabase.auth.exchangeCodeForSession(code)
_38
if (!error) {
_38
return NextResponse.redirect(`${origin}${next}`)
_38
}
_38
}
_38
_38
// return the user to an error page with instructions
_38
return NextResponse.redirect(`${origin}/auth/auth-code-error`)
_38
}

Let's point our .signInWithOAuth method's redirect to the callback route we create above:

In the browser, signInWithOAuth automatically redirects to the SSO provider's authentication endpoint, which then redirects to your endpoint.


_10
await supabase.auth.signInWithOAuth({
_10
provider,
_10
options: {
_10
redirectTo: `http://example.com/auth/callback`,
_10
},
_10
})