Skip to content

[Epic 7] Story 7.2 GoTrue client integration #285

Open
Open
[Epic 7] Story 7.2 GoTrue client integration#285
Labels
idamstory
@casibbald

Description

@casibbald
casibbald
opened on Jan 28, 2026

Part of Epic #279

Story 7.2 — GoTrue client integration

GitHub issue: #285
Epic: Epic 7 — IDAM core implementation

Overview

Integrate the IDAM core with Supabase GoTrue: implement (or wire) handlers for all core paths so IDAM is a proper proxy. Use the path list from IDAM GoTrue API Mapping §3.1 (token, logout, signup, recover, resend, magiclink, otp, verify, user GET/PUT, reauthenticate, factors, identity link/unlink, authorize, callback, SSO/SAML, settings, JWKS, health).

Sequence: IDAM proxy to GoTrue

sequenceDiagram
  participant Client as Client / BFF
  participant IDAM as IDAM core
  participant GoTrue as Supabase GoTrue

  Client->>IDAM: POST /api/identity/auth/token (password)
  IDAM->>GoTrue: POST /token (apikey + body)
  GoTrue-->>IDAM: access_token, refresh_token
  IDAM-->>Client: Same or transformed tokens

  Client->>IDAM: GET /api/identity/user (Bearer)
  IDAM->>GoTrue: GET /user (Bearer)
  GoTrue-->>IDAM: UserSchema
  IDAM-->>Client: UserSchema
Loading

Diagram: Handler delegation to GoTrue client

flowchart TB
  Request["Incoming request (IDAM path prefix)"]
  Request --> Router["IDAM router"]
  Router --> Token["token handler"]
  Router --> User["user handler"]
  Router --> Verify["verify handler"]
  Router --> Other["... other core paths"]
  Token --> Client["GoTrue HTTP client"]
  User --> Client
  Verify --> Client
  Other --> Client
  Client --> GoTrue["GoTrue base URL"]
Loading

Delivery

  • GoTrue client: HTTP client to GoTrue base URL (existing or new): token (password, refresh, pkce, id_token), logout, signup, recover, resend, magiclink, otp, verify, user (GET/PUT), reauthenticate, factors (enroll, challenge, verify, unenroll), identity authorize/delete, callback, sso/saml, settings, health. Pass-through or transform responses as needed for IDAM path prefix.
  • Handlers: IDAM core routes call the GoTrue client and return responses; JWKS and openid-configuration can proxy to GoTrue or serve from config.
  • Auth: API key (or service auth) for IDAM→GoTrue; document how IDAM obtains it (env, secret).

Acceptance criteria

  • All IDAM core paths (from §3.1 mapping) are implemented via GoTrue client.
  • IDAM returns JWTs from same issuer as GoTrue (pass-through or re-issue); BFF can validate with GoTrue JWKS.
  • IDAM→GoTrue authentication (apikey or service role) is documented and configurable.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    idamstory

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions