Skip to content

update: Supabase new OIDC integration#764

Open
tamalchowdhury wants to merge 3 commits into
mainfrom
tamal/update/supabase-new-oidc-integration
Open

update: Supabase new OIDC integration#764
tamalchowdhury wants to merge 3 commits into
mainfrom
tamal/update/supabase-new-oidc-integration

Conversation

@tamalchowdhury

@tamalchowdhury tamalchowdhury commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

This PR replaces the old minted JWT authentication to Supabase native OIDC integration. Now Kinde works as an IdP for Supabase; SB handles the session, and users are stored in the database.

Summary by CodeRabbit

  • Documentation
    • Replaced the Kinde–Supabase integration guide with a streamlined Quickstart for Next.js.
    • Added setup instructions for Kinde as a custom OAuth provider, including scopes, callback URLs, and auto-discovery.
    • Added examples for login, registration, logout, OAuth callbacks, session handling, and protected-route redirects.
    • Included a verification checklist for confirming authentication in both dashboards.

@tamalchowdhury
tamalchowdhury requested a review from a team as a code owner July 13, 2026 10:14
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

The Kinde–Supabase integration guide was rewritten as a Quickstart covering custom OAuth configuration, Next.js authentication flows, logout handling, redirects, and verification steps.

Changes

Kinde–Supabase OAuth Quickstart

Layer / File(s) Summary
Provider setup and guide metadata
src/content/docs/integrate/third-party-tools/kinde-supabase.mdx
Updates document metadata and explains Kinde application creation, Supabase custom provider configuration, scopes, and callback URLs.
Next.js OAuth flow and validation
src/content/docs/integrate/third-party-tools/kinde-supabase.mdx
Documents login and registration buttons, callback session exchange, logout redirection, protected-route redirects, and checks for users in Kinde and Supabase.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Suggested reviewers: onderay

Poem

I’m a bunny hopping through OAuth bright,
Kinde sends the user into Supabase light.
Next.js catches the code with care,
Sessions and redirects bloom in the air.
Login, logout—everything’s neat,
Two dashboards make the trail complete!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: documenting Supabase's new OIDC integration with Kinde.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch tamal/update/supabase-new-oidc-integration

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying kinde-docs-preview with  Cloudflare Pages  Cloudflare Pages

Latest commit: da57d6b
Status: ✅  Deploy successful!
Preview URL: https://dd3f9d9e.kinde-docs-preview.pages.dev
Branch Preview URL: https://tamal-update-supabase-new-oi.kinde-docs-preview.pages.dev

View logs

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/content/docs/integrate/third-party-tools/kinde-supabase.mdx`:
- Around line 100-114: Update the Kinde-Supabase integration guide’s setup steps
to instruct users to add /auth/callback to Supabase Authentication > URL
Configuration, including http://localhost:3000/auth/callback and the
corresponding production URL.
- Around line 188-198: Validate the next parameter in the GET callback before
using it in NextResponse.redirect, allowing only same-origin relative paths and
rejecting values such as `@attacker.example` or absolute URLs. Preserve the
existing /protected fallback and redirect valid paths using the existing origin.
- Around line 82-84: Update the Kinde setup instructions around the application
Details page to also add the local and production app origins to the Allowed
logout redirect URLs field, alongside the existing callback URL configuration,
so logout returns correctly to the app.
- Around line 77-79: Update the Aside in the Kinde/Supabase integration
documentation to instruct users to request the Kinde provider refresh token with
the `offline` scope instead of `offline_access`, and explicitly distinguish it
from Supabase’s session refresh token.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 046e3f06-c067-461d-88a2-575eb3017265

📥 Commits

Reviewing files that changed from the base of the PR and between 886d14b and da57d6b.

📒 Files selected for processing (1)
  • src/content/docs/integrate/third-party-tools/kinde-supabase.mdx

Comment on lines +77 to +79
<Aside>
To get a refresh token, include the `offline_access` scope.
</Aside>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the target file around the cited lines.
sed -n '60,95p' src/content/docs/integrate/third-party-tools/kinde-supabase.mdx

# Search for related scope usage in the repo.
rg -n --hidden --glob '!**/node_modules/**' --glob '!**/.git/**' 'offline_access|offline scope|Kinde provider refresh token|refresh token' src/content/docs

Repository: kinde-oss/documentation

Length of output: 39442


🌐 Web query:

Kinde offline_access offline scope refresh tokens documentation

💡 Result:

To request a refresh token in Kinde, you must include the offline scope in your authentication request [1]. Unlike some other OAuth 2.0 providers that use the standard OIDC offline_access scope [2][3][4], Kinde specifically uses offline [1][5][6]. Key details regarding Kinde's approach include: Scope requirement: When initiating an authentication request (e.g., via the /oauth2/auth endpoint), ensure the scope parameter contains offline [1]. Kinde's official SDKs typically include offline in the default scope list (along with openid, profile, and email), so you may not need to take extra action if using an official SDK [7]. If you are building a custom implementation or overriding the defaults, you must explicitly include offline in the scope string [1][6][7]. Behavior: Including the offline scope enables your application to receive a refresh token alongside the access token [1]. This refresh token can then be used to obtain new access tokens without requiring the user to re-authenticate, effectively extending the user's session [1][8]. Usage: Once you receive the refresh token, you use it by sending a POST request to the /oauth2/token endpoint with the grant_type set to refresh_token [1]. If you are following tutorials or documentation for other identity providers (such as Auth0 or Keycloak), note that they commonly use offline_access [2][4], whereas Kinde uses offline [1][6]. Providing the incorrect scope will generally result in failing to receive a refresh token [1].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '60,95p' src/content/docs/integrate/third-party-tools/kinde-supabase.mdx
rg -n --hidden --glob '!**/node_modules/**' --glob '!**/.git/**' 'offline_access|offline scope|Kinde provider refresh token|refresh token' src/content/docs

Repository: kinde-oss/documentation

Length of output: 39442


Use offline instead of offline_access

Kinde only returns a refresh token for offline; offline_access completes without one. Make clear this is the Kinde provider refresh token, not Supabase’s session refresh token.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/content/docs/integrate/third-party-tools/kinde-supabase.mdx` around lines
77 - 79, Update the Aside in the Kinde/Supabase integration documentation to
instruct users to request the Kinde provider refresh token with the `offline`
scope instead of `offline_access`, and explicitly distinguish it from Supabase’s
session refresh token.

Comment on lines +82 to +84
8. Copy the **Callback URL** provided by Supabase. You’ll add this to Kinde next.
9. Select **Update provider**.
10. Go to your Kinde application **Details** page and paste the callback URL into the **Allowed Callback URLs** field. Select **Save**.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== file outline =="
ast-grep outline src/content/docs/integrate/third-party-tools/kinde-supabase.mdx --view expanded || true

echo
echo "== relevant line ranges =="
sed -n '70,95p' src/content/docs/integrate/third-party-tools/kinde-supabase.mdx
echo
sed -n '228,248p' src/content/docs/integrate/third-party-tools/kinde-supabase.mdx

echo
echo "== search for logout redirect/docs mentions =="
rg -n "logout redirect|Allowed logout redirect|window.location.origin|callback URL|Allowed Callback URLs" src/content/docs/integrate/third-party-tools/kinde-supabase.mdx

Repository: kinde-oss/documentation

Length of output: 3420


🌐 Web query:

Kinde logout redirect URLs window.location.origin allowed logout redirect URLs documentation

💡 Result:

To ensure users are correctly redirected after logging out of Kinde, you must configure the "Allowed logout redirect URLs" in your Kinde application settings [1][2]. Kinde does not support silent logout; a redirect is required to terminate the session [1]. 1. Configure Allowed URLs: Go to Settings > Applications > [Your App] > View details in the Kinde dashboard [1][2]. Add the desired redirect URL to the "Allowed logout redirect URLs" field [1][2]. If this field is empty or the provided URL does not match, users may be redirected to Kinde’s default hosted logout page instead of your application [3]. 2. Using window.location.origin: You can use window.location.origin to dynamically pass your application's base URL as the redirect destination. When implementing your logout logic, ensure the value you pass to the logout endpoint matches one of the URLs registered in your "Allowed logout redirect URLs" list [2]. 3. Implementation: - Manual Redirect: If you are not using an SDK, append your URL to the logout endpoint [2]: https://<your_kinde_subdomain>.kinde.com/logout?redirect=<your_logout_url> - SDK usage: Most Kinde SDKs (such as TypeScript, Express, or Next.js) include a logout method that uses a configured logout redirect URL (often defined via environment variables like KINDE_POST_LOGOUT_REDIRECT_URL or similar configuration parameters) [4][5][6][7]. Some SDK implementations allow you to pass a custom post-logout redirect URL at runtime, which will be validated against your "Allowed" list [8][9]. Always ensure that the URL you intend to use (e.g., window.location.origin) is explicitly added to the Kinde dashboard's whitelist [1][2].

Citations:


🌐 Web query:

site:docs.kinde.com Allowed logout redirect URLs Kinde logout redirect redirect parameter

💡 Result:

To handle logout redirects in Kinde, you must configure both the allowed URLs in your Kinde application settings and provide the specific redirect parameter in your implementation [1][2]. Allowed Logout Redirect URLs You must register your permitted logout URLs within the Kinde dashboard to ensure security [2]. 1. Navigate to Settings > Applications in your Kinde dashboard [2]. 2. Select your application and click View details [2]. 3. Add your desired URLs to the Allowed logout redirect URLs field [2]. Logout Redirect Parameter When initiating a logout via a Kinde SDK or API, you typically specify the destination URL using a logout redirect parameter [3][4][5]. While naming conventions vary slightly by SDK (e.g., logoutRedirectURL, logoutRedirectUri, or KINDE_POST_LOGOUT_REDIRECT_URL), they all serve the same purpose: defining where the user is sent after signing out [3][6][4][7]. Implementation Examples - Backend SDKs (e.g., TypeScript, PHP): You typically configure the logoutRedirectURL or KINDE_POST_LOGOUT_REDIRECT_URL environment variable during client initialization [3][7]. When the logout method is called, the SDK handles the redirection process based on this value [3][5][8]. - Native/Mobile SDKs (e.g., Android, iOS, Flutter): You must ensure the redirect URL uses your application's custom URL scheme (e.g., myapp://kinde_logoutcallback) and matches what is registered in your Kinde application settings [6][5][8]. Always ensure that any URL passed as a logout redirect parameter matches one of the URLs registered in your Allowed logout redirect URLs list, or the logout process may fail due to a security mismatch [3][4][5].

Citations:


Add the app origin to Kinde logout redirects. The setup only registers the callback URL, but the logout button redirects to window.location.origin; that URL also needs to be listed under Allowed logout redirect URLs or the return-to-app logout flow can break. Add the local and production origins during setup.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/content/docs/integrate/third-party-tools/kinde-supabase.mdx` around lines
82 - 84, Update the Kinde setup instructions around the application Details page
to also add the local and production app origins to the Allowed logout redirect
URLs field, alongside the existing callback URL configuration, so logout returns
correctly to the app.

Comment on lines +100 to +114
To add Kinde authentication to a Next.js app with Supabase:

1. To create a new Supabase Next.js project, run:

```bash
mkdir -p "app/api/auth/[kindeAuth]"
touch "app/api/auth/[kindeAuth]/route.js"
npx create-next-app -e with-supabase
```

6. Open the newly created `route.js` file, enter the following code, and save the file:

```bash
import { handleAuth } from "@kinde-oss/kinde-auth-nextjs/server"
export const GET = handleAuth()

2. Add the following to your `.env.local` file:

```env title="env.local"
NEXT_PUBLIC_KINDE_DOMAIN=https://<your_brand_name>.kinde.com
```

7. Create an environment variables file `.env.local` by typing:


You can use either your Kinde domain (`https://your_brand_name.kinde.com`) or your [Custom domain](/build/domains/pointing-your-domain/) (`https://auth.your_brand_name.com`). Use the same domain you used for the Issuer URL in the previous step.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

sed -n '1,240p' src/content/docs/integrate/third-party-tools/kinde-supabase.mdx

Repository: kinde-oss/documentation

Length of output: 9465


🏁 Script executed:

rg -n "auth/callback|Redirect URLs|URL Configuration|redirectTo|supabase" src/content/docs/integrate/third-party-tools -S

Repository: kinde-oss/documentation

Length of output: 6506


Add /auth/callback to Supabase redirect URLs Both OAuth buttons send users to window.location.origin/auth/callback, but the guide never adds that route to Supabase’s Authentication > URL Configuration. Add http://localhost:3000/auth/callback and the production equivalent so the callback flow can complete.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/content/docs/integrate/third-party-tools/kinde-supabase.mdx` around lines
100 - 114, Update the Kinde-Supabase integration guide’s setup steps to instruct
users to add /auth/callback to Supabase Authentication > URL Configuration,
including http://localhost:3000/auth/callback and the corresponding production
URL.

Comment on lines +188 to +198
export async function GET(request: Request) {
const { searchParams, origin } = new URL(request.url);
const code = searchParams.get("code");
const next = searchParams.get("next") ?? "/protected";

if (code) {
const supabase = await createClient();
const { error } = await supabase.auth.exchangeCodeForSession(code);
if (!error) {
return NextResponse.redirect(`${origin}${next}`);
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n--- file outline ---\n'
wc -l src/content/docs/integrate/third-party-tools/kinde-supabase.mdx
printf '\n--- relevant lines ---\n'
sed -n '160,230p' src/content/docs/integrate/third-party-tools/kinde-supabase.mdx

printf '\n--- search redirect patterns ---\n'
rg -n 'NextResponse\.redirect\(|searchParams\.get\("next"\)|new URL\(' src/content/docs -S

printf '\n--- search for next validation guidance ---\n'
rg -n 'relative paths|open redirect|redirect.*next|next parameter|`@attacker`\.example|origin === origin' src/content/docs -S

Repository: kinde-oss/documentation

Length of output: 7995


🏁 Script executed:

node - <<'JS'
const origin = 'https://app.example';

for (const next of [
  '/protected',
  'dashboard',
  '`@attacker.example`',
  '//@attacker.example',
  '//attacker.example',
  'https://attacker.example',
  '/%5C%5Cattacker.example',
]) {
  const candidate = `${origin}${next}`;
  try {
    const url = new URL(candidate);
    console.log(JSON.stringify({ next, candidate, href: url.href, origin: url.origin, username: url.username, host: url.host, pathname: url.pathname }));
  } catch (e) {
    console.log(JSON.stringify({ next, candidate, error: e.message }));
  }
}
JS

Repository: kinde-oss/documentation

Length of output: 1746


Validate next before redirecting. searchParams.get("next") is concatenated directly into ${origin}${next}, so values like @attacker.example can turn the callback into a cross-site redirect. Restrict this parameter to same-origin relative paths before calling NextResponse.redirect(...).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/content/docs/integrate/third-party-tools/kinde-supabase.mdx` around lines
188 - 198, Validate the next parameter in the GET callback before using it in
NextResponse.redirect, allowing only same-origin relative paths and rejecting
values such as `@attacker.example` or absolute URLs. Preserve the existing
/protected fallback and redirect valid paths using the existing origin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant