Redirect URLs using Google OAuth don't work if containing underscores. #2447
Description
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
This isn't necessarily a bug, but something that needs documenting across supabase and gotrue (and potentially should have runtime asserts to discourage.
TLDR: When using Google OAuth, redirect URLs using underscores (ie com.my_cool_app.example://callback) will always fail and will fall back to the site URL in your supabase config. The docs don't mention this at all, and there are more than a few discussions about site URLs "overriding" redirect URLs, or redirect URLs "not working" when Google is simply modifying them so that they're not recognized by Supabase.
To Reproduce
- Create an app with Google OAuth
- Configure the supabase and the application's deep links to accept a redirect URL using underscores (ie.
my_app://callback) - Configure supabase's site URL to be localhost:3000 (if not already)
- Call
supabase.auth.signInWithOAuth( OAuthProvider.google, redirectTo: 'my_app://callback',)
Expected behavior
On completing google's OAuth, you should be redirected to your application successfully. However, instead the siteURL is used instead which may not be configured in the given application.
One option could be to throw an assertion error (or other exception) if a redirect url contains invalid chars for Google OAuth - it appears the gotrue plugin for flutter already handles Google behavior a little differently, enforcing that apps auth in an external browser, so this shouldn't be much different.
System information
Platform: Flutter (gotrue 2.18.0)
Additional context
Changing the redirect URL (on supabase and your app config) to my-app://callback works correctly.
This may be Google's own crappy documentation, but supabase doesn't document this specific behavior either and it would be useful to improve the setup experience :)