PKCE flow
About authenticating with PKCE flow.
The Proof Key for Code Exchange (PKCE) flow is one of two ways that a user can authenticate and your app can receive the necessary access and refresh tokens.
The flow is an implementation detail handled for you by Supabase Auth, but understanding the difference between PKCE and implicit flow is important for understanding the difference between client-only and server-side auth.
How it works
After a successful verification, the user is redirected to your app with a URL that looks like this:
_10https://yourapp.com/...?code=<...>
The code
parameter is commonly known as the Auth Code and can be exchanged for an access token by calling exchangeCodeForSession(code)
.
For security purposes, the code has a validity of 5 minutes and can only be exchanged for an access token once. You will need to restart the authentication flow from scratch if you wish to obtain a new access token.
As the flow is run server side, localStorage
may not be available. You may configure the client library to use a custom storage adapter and an alternate backing storage such as cookies by setting the storage
option to an object with the following methods:
_23const customStorageAdapter: SupportedStorage = {_23 getItem: (key) => {_23 if (!supportsLocalStorage()) {_23 // Configure alternate storage_23 return null_23 }_23 return globalThis.localStorage.getItem(key)_23 },_23 setItem: (key, value) => {_23 if (!supportsLocalStorage()) {_23 // Configure alternate storage here_23 return_23 }_23 globalThis.localStorage.setItem(key, value)_23 },_23 removeItem: (key) => {_23 if (!supportsLocalStorage()) {_23 // Configure alternate storage here_23 return_23 }_23 globalThis.localStorage.removeItem(key)_23 },_23}
You may also configure the client library to automatically exchange it for a session after a successful redirect. This can be done by setting the detectSessionInUrl
option to true
.
Putting it all together, your client library initialization may look like this:
_14const supabase = createClient(_14 'https://xyzcompany.supabase.co',_14 'public-anon-key',_14 {_14 ..._14 auth: {_14 ..._14 detectSessionInUrl: true,_14 flowType: 'pkce',_14 storage: customStorageAdapter,_14 }_14 ..._14 }_14)
Limitations
Behind the scenes, the code exchange requires a code verifier. Both the code in the URL and the code verifier are sent back to the Auth server for a successful exchange.
The code verifier is created and stored locally when the Auth flow is first initiated. That means the code exchange must be initiated on the same browser and device where the flow was started.
Resources
- OAuth 2.0 guide to PKCE flow