What is the difference between OAuth and custom authentication?

OAuth delegates authentication to a third-party provider (Google, GitHub, etc.), reducing your security burden. Custom authentication gives you full control but requires implementing security best practices yourself. Use OAuth for consumer apps, custom auth for enterprise applications with specific requirements.

How do I implement passwordless authentication?

Passwordless auth uses magic links or OTP codes instead of passwords. Users click a link in their email or enter a code to authenticate. Supabase Auth supports magic links natively. This improves security (no weak passwords) and user experience (no password to remember).

What is JWT and how does it work?

JWT (JSON Web Token) is a stateless token containing user information and a signature. The server signs the token, and the client includes it in requests. The server verifies the signature without querying the database. JWTs are ideal for stateless APIs and microservices.

How do I implement multi-tenant authentication?

Store organization_id in the JWT claims or session. Use RLS policies to filter data by organization_id. Implement middleware to verify users belong to the requested organization. This ensures users can only access their organization data.

What is SAML and when should I use it?

SAML is an enterprise authentication protocol used for SSO. It is more complex than OAuth but provides better enterprise features. Use SAML for B2B SaaS targeting enterprises. Supabase supports SAML through third-party providers like Auth0.

How do I refresh JWT tokens?

JWTs have an expiration time (typically 1 hour). Use refresh tokens (longer-lived) to obtain new access tokens without re-authenticating. Supabase Auth handles this automatically. Store refresh tokens securely (httpOnly cookies) and rotate them regularly.

How do I implement custom claims in JWT?

Use Supabase Auth hooks or custom JWT claims in your authentication flow. Store user metadata (role, organization_id) in the JWT. Access claims in your application to make authorization decisions without database queries.

What is the difference between authentication and authorization?

Authentication verifies who you are (login). Authorization determines what you can do (permissions). Implement authentication with Supabase Auth, authorization with RLS policies and role-based access control.

How do I implement social login with multiple providers?

Configure OAuth providers in Supabase Dashboard (Google, GitHub, Discord, etc.). Users can sign in with any provider. Link multiple providers to the same account by matching email addresses. This provides flexibility and improves conversion.

How do I handle authentication errors gracefully?

Catch authentication errors and display user-friendly messages. Log errors for debugging. Implement retry logic for transient errors. Redirect to login on session expiration. Provide clear error messages for invalid credentials, expired links, etc.

What is account linking and how do I implement it?

Account linking allows users to connect multiple authentication methods (email, Google, GitHub) to the same account. Implement by matching email addresses or allowing users to manually link accounts. This improves user experience and reduces duplicate accounts.

How do I implement step-up authentication?

Step-up authentication requires additional verification for sensitive operations (password change, payment). Implement by checking the last authentication time and requiring re-authentication if too much time has passed. Use MFA for extra security.

What is the difference between OAuth and custom authentication?

OAuth delegates authentication to a third-party provider (Google, GitHub, etc.), reducing your security burden. Custom authentication gives you full control but requires implementing security best practices yourself. Use OAuth for consumer apps, custom auth for enterprise applications with specific requirements.

How do I implement passwordless authentication?

Passwordless auth uses magic links or OTP codes instead of passwords. Users click a link in their email or enter a code to authenticate. Supabase Auth supports magic links natively. This improves security (no weak passwords) and user experience (no password to remember).

What is JWT and how does it work?

JWT (JSON Web Token) is a stateless token containing user information and a signature. The server signs the token, and the client includes it in requests. The server verifies the signature without querying the database. JWTs are ideal for stateless APIs and microservices.

How do I implement multi-tenant authentication?

Store organization_id in the JWT claims or session. Use RLS policies to filter data by organization_id. Implement middleware to verify users belong to the requested organization. This ensures users can only access their organization data.

What is SAML and when should I use it?

SAML is an enterprise authentication protocol used for SSO. It is more complex than OAuth but provides better enterprise features. Use SAML for B2B SaaS targeting enterprises. Supabase supports SAML through third-party providers like Auth0.

How do I refresh JWT tokens?

JWTs have an expiration time (typically 1 hour). Use refresh tokens (longer-lived) to obtain new access tokens without re-authenticating. Supabase Auth handles this automatically. Store refresh tokens securely (httpOnly cookies) and rotate them regularly.

How do I implement custom claims in JWT?

Use Supabase Auth hooks or custom JWT claims in your authentication flow. Store user metadata (role, organization_id) in the JWT. Access claims in your application to make authorization decisions without database queries.

What is the difference between authentication and authorization?

Authentication verifies who you are (login). Authorization determines what you can do (permissions). Implement authentication with Supabase Auth, authorization with RLS policies and role-based access control.

How do I implement social login with multiple providers?

Configure OAuth providers in Supabase Dashboard (Google, GitHub, Discord, etc.). Users can sign in with any provider. Link multiple providers to the same account by matching email addresses. This provides flexibility and improves conversion.

How do I handle authentication errors gracefully?

Catch authentication errors and display user-friendly messages. Log errors for debugging. Implement retry logic for transient errors. Redirect to login on session expiration. Provide clear error messages for invalid credentials, expired links, etc.

What is account linking and how do I implement it?

Account linking allows users to connect multiple authentication methods (email, Google, GitHub) to the same account. Implement by matching email addresses or allowing users to manually link accounts. This improves user experience and reduces duplicate accounts.

How do I implement step-up authentication?

Step-up authentication requires additional verification for sensitive operations (password change, payment). Implement by checking the last authentication time and requiring re-authentication if too much time has passed. Use MFA for extra security.

Advanced Authentication Patterns with Next.js and Supabase#

Authentication is the gateway to your application. While basic email/password authentication works for simple apps, production applications need sophisticated authentication patterns that balance security, user experience, and business requirements. This guide teaches you advanced authentication techniques used by leading SaaS companies.

Authentication Fundamentals#

Before diving into advanced patterns, understand these core concepts:

Authentication vs Authorization:

Authentication: Verifies who you are (login)
Authorization: Determines what you can do (permissions)

Stateful vs Stateless:

Stateful: Server stores session data (traditional approach)
Stateless: Client stores token, server verifies (JWT approach)

Token Types:

Access Token: Short-lived (1 hour), used for API requests
Refresh Token: Long-lived (7 days), used to get new access tokens
ID Token: Contains user information, used for authentication

1. OAuth 2.0 Implementation#

OAuth delegates authentication to trusted providers, reducing your security burden.

Configuring OAuth Providers#

In Supabase Dashboard:

Go to Authentication → Providers
Enable desired providers (Google, GitHub, Discord, etc.)
Add OAuth credentials from provider
Configure redirect URLs

// app/auth/oauth/page.tsx
'use client';

import { createClient } from '@/lib/supabase/client';
import { useRouter } from 'next/navigation';

export default function OAuthPage() {
  const router = useRouter();
  const supabase = createClient();

  async function signInWithGoogle() {
    const { data, error } = await supabase.auth.signInWithOAuth({
      provider: 'google',
      options: {
        redirectTo: `${window.location.origin}/auth/callback`
      }
    });

    if (error) {
      console.error('OAuth error:', error);
    }
  }

  async function signInWithGitHub() {
    const { data, error } = await supabase.auth.signInWithOAuth({
      provider: 'github',
      options: {
        redirectTo: `${window.location.origin}/auth/callback`
      }
    });

    if (error) {
      console.error('OAuth error:', error);
    }
  }

  return (
    <div className="space-y-4">
      <button onClick={signInWithGoogle} className="btn btn-google">
        Sign in with Google
      </button>
      <button onClick={signInWithGitHub} className="btn btn-github">
        Sign in with GitHub
      </button>
    </div>
  );
}

OAuth Callback Handler#

// app/auth/callback/route.ts
import { createServerClient } from '@supabase/ssr';
import { cookies } from 'next/headers';
import { NextResponse } from 'next/server';

export async function GET(request: Request) {
  const { searchParams } = new URL(request.url);
  const code = searchParams.get('code');
  const error = searchParams.get('error');

  if (error) {
    return NextResponse.redirect(
      new URL(`/auth/error?error=${error}`, request.url)
    );
  }

  if (code) {
    const cookieStore = cookies();
    const supabase = createServerClient(
      process.env.NEXT_PUBLIC_SUPABASE_URL!,
      process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
      {
        cookies: {
          get(name: string) {
            return cookieStore.get(name)?.value;
          },
          set(name: string, value: string, options) {
            cookieStore.set({ name, value, ...options });
          },
          remove(name: string, options) {
            cookieStore.set({ name, value: '', ...options });
          },
        },
      }
    );

    const { error: exchangeError } = await supabase.auth.exchangeCodeForSession(code);

    if (!exchangeError) {
      return NextResponse.redirect(new URL('/dashboard', request.url));
    }
  }

  return NextResponse.redirect(new URL('/auth/error', request.url));
}

Account Linking#

Allow users to link multiple OAuth providers:

// Link additional OAuth provider to existing account
async function linkOAuthProvider(provider: string) {
  const supabase = createClient();
  
  const { data, error } = await supabase.auth.linkIdentity({
    provider,
    options: {
      redirectTo: `${window.location.origin}/auth/callback`
    }
  });

  if (error) {
    console.error('Linking error:', error);
  }
}

// Unlink OAuth provider
async function unlinkOAuthProvider(provider: string) {
  const supabase = createClient();
  
  const { data, error } = await supabase.auth.unlinkIdentity({
    identity_id: 'provider_id'
  });

  if (error) {
    console.error('Unlinking error:', error);
  }
}

2. Passwordless Authentication#

Passwordless auth improves security and user experience by eliminating passwords.

Magic Link Authentication#

// app/auth/magic-link/page.tsx
'use client';

import { createClient } from '@/lib/supabase/client';
import { useState } from 'react';

export default function MagicLinkPage() {
  const [email, setEmail] = useState('');
  const [loading, setLoading] = useState(false);
  const [message, setMessage] = useState('');
  const supabase = createClient();

  async function handleMagicLink(e: React.FormEvent) {
    e.preventDefault();
    setLoading(true);

    const { error } = await supabase.auth.signInWithOtp({
      email,
      options: {
        emailRedirectTo: `${window.location.origin}/auth/callback`
      }
    });

    if (error) {
      setMessage(`Error: ${error.message}`);
    } else {
      setMessage('Check your email for the magic link!');
      setEmail('');
    }

    setLoading(false);
  }

  return (
    <form onSubmit={handleMagicLink} className="space-y-4">
      <input
        type="email"
        value={email}
        onChange={(e) => setEmail(e.target.value)}
        placeholder="Enter your email"
        required
      />
      <button type="submit" disabled={loading}>
        {loading ? 'Sending...' : 'Send Magic Link'}
      </button>
      {message && <p>{message}</p>}
    </form>
  );
}

One-Time Password (OTP)#

// Send OTP via SMS or email
async function sendOTP(phone: string) {
  const supabase = createClient();
  
  const { data, error } = await supabase.auth.signInWithOtp({
    phone,
    options: {
      shouldCreateUser: true
    }
  });

  if (error) {
    console.error('OTP error:', error);
  }
}

// Verify OTP
async function verifyOTP(phone: string, token: string) {
  const supabase = createClient();
  
  const { data, error } = await supabase.auth.verifyOtp({
    phone,
    token,
    type: 'sms'
  });

  if (error) {
    console.error('Verification error:', error);
  }

  return data;
}

3. Custom JWT Implementation#

For advanced use cases, implement custom JWT claims:

// lib/jwt.ts
import jwt from 'jsonwebtoken';

interface CustomClaims {
  sub: string; // user id
  email: string;
  organization_id: string;
  role: 'admin' | 'editor' | 'viewer';
  permissions: string[];
  iat: number;
  exp: number;
}

export function createCustomJWT(user: {
  id: string;
  email: string;
  organization_id: string;
  role: string;
  permissions: string[];
}): string {
  const claims: CustomClaims = {
    sub: user.id,
    email: user.email,
    organization_id: user.organization_id,
    role: user.role as any,
    permissions: user.permissions,
    iat: Math.floor(Date.now() / 1000),
    exp: Math.floor(Date.now() / 1000) + 3600 // 1 hour
  };

  return jwt.sign(claims, process.env.JWT_SECRET!);
}

export function verifyCustomJWT(token: string): CustomClaims | null {
  try {
    return jwt.verify(token, process.env.JWT_SECRET!) as CustomClaims;
  } catch (error) {
    return null;
  }
}

Using Custom Claims in Middleware#

// middleware.ts
import { NextRequest, NextResponse } from 'next/server';
import { verifyCustomJWT } from '@/lib/jwt';

export async function middleware(request: NextRequest) {
  const token = request.cookies.get('auth-token')?.value;

  if (!token) {
    return NextResponse.redirect(new URL('/login', request.url));
  }

  const claims = verifyCustomJWT(token);

  if (!claims) {
    return NextResponse.redirect(new URL('/login', request.url));
  }

  // Check authorization
  if (request.nextUrl.pathname.startsWith('/admin') && claims.role !== 'admin') {
    return NextResponse.redirect(new URL('/unauthorized', request.url));
  }

  // Add claims to request headers
  const requestHeaders = new Headers(request.headers);
  requestHeaders.set('x-user-id', claims.sub);
  requestHeaders.set('x-organization-id', claims.organization_id);
  requestHeaders.set('x-user-role', claims.role);

  return NextResponse.next({
    request: {
      headers: requestHeaders,
    },
  });
}

export const config = {
  matcher: ['/dashboard/:path*', '/admin/:path*', '/api/:path*']
};

4. Multi-Tenant Authentication#

Implement authentication for multi-tenant SaaS applications:

// lib/multi-tenant-auth.ts
import { createServerClient } from '@supabase/ssr';
import { cookies } from 'next/headers';

export async function getUserWithOrganization() {
  const cookieStore = cookies();
  const supabase = createServerClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookies: {
        get(name: string) {
          return cookieStore.get(name)?.value;
        },
        set(name: string, value: string, options) {
          cookieStore.set({ name, value, ...options });
        },
        remove(name: string, options) {
          cookieStore.set({ name, value: '', ...options });
        },
      },
    }
  );

  const { data: { user } } = await supabase.auth.getUser();

  if (!user) {
    return null;
  }

  // Get user's organizations
  const { data: organizations } = await supabase
    .from('organization_members')
    .select(`
      organization_id,
      role,
      organizations(id, name, slug)
    `)
    .eq('user_id', user.id);

  return {
    user,
    organizations: organizations || []
  };
}

// Verify user belongs to organization
export async function verifyOrganizationAccess(
  userId: string,
  organizationId: string
): Promise<boolean> {
  const cookieStore = cookies();
  const supabase = createServerClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,
    {
      cookies: {
        get(name: string) {
          return cookieStore.get(name)?.value;
        },
        set(name: string, value: string, options) {
          cookieStore.set({ name, value, ...options });
        },
        remove(name: string, options) {
          cookieStore.set({ name, value: '', ...options });
        },
      },
    }
  );

  const { data } = await supabase
    .from('organization_members')
    .select('id')
    .eq('user_id', userId)
    .eq('organization_id', organizationId)
    .single();

  return !!data;
}

Multi-Tenant Middleware#

// middleware.ts
import { NextRequest, NextResponse } from 'next/server';
import { verifyOrganizationAccess } from '@/lib/multi-tenant-auth';

export async function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl;
  
  // Extract organization slug from URL
  const match = pathname.match(/^\/org\/([^/]+)/);
  if (!match) {
    return NextResponse.next();
  }

  const organizationSlug = match[1];
  const userId = request.headers.get('x-user-id');

  if (!userId) {
    return NextResponse.redirect(new URL('/login', request.url));
  }

  // Verify user has access to organization
  const hasAccess = await verifyOrganizationAccess(userId, organizationSlug);

  if (!hasAccess) {
    return NextResponse.redirect(new URL('/unauthorized', request.url));
  }

  return NextResponse.next();
}

export const config = {
  matcher: ['/org/:path*']
};

5. Enterprise SSO (SAML)#

For enterprise customers, implement SAML-based SSO:

// Configure SAML provider
async function configureSAML(organizationId: string, samlConfig: {
  entityId: string;
  ssoUrl: string;
  certificate: string;
}) {
  const supabase = createClient();

  const { data, error } = await supabase
    .from('organization_sso')
    .insert({
      organization_id: organizationId,
      provider: 'saml',
      config: samlConfig
    });

  if (error) {
    console.error('SAML config error:', error);
  }

  return data;
}

// SAML sign-in
async function signInWithSAML(organizationId: string) {
  const supabase = createClient();

  // Get SAML config
  const { data: ssoConfig } = await supabase
    .from('organization_sso')
    .select('*')
    .eq('organization_id', organizationId)
    .eq('provider', 'saml')
    .single();

  if (!ssoConfig) {
    throw new Error('SAML not configured for this organization');
  }

  // Redirect to SAML provider
  window.location.href = ssoConfig.config.ssoUrl;
}

6. Step-Up Authentication#

Require additional verification for sensitive operations:

// lib/step-up-auth.ts
const STEP_UP_TIMEOUT = 15 * 60 * 1000; // 15 minutes

export async function requireStepUpAuth(userId: string): Promise<boolean> {
  const lastStepUp = localStorage.getItem(`step-up-${userId}`);
  const now = Date.now();

  if (!lastStepUp || now - parseInt(lastStepUp) > STEP_UP_TIMEOUT) {
    // Require re-authentication
    return false;
  }

  return true;
}

export function recordStepUpAuth(userId: string) {
  localStorage.setItem(`step-up-${userId}`, Date.now().toString());
}

// Usage in sensitive operation
async function changePassword(userId: string, newPassword: string) {
  const hasStepUp = await requireStepUpAuth(userId);

  if (!hasStepUp) {
    // Redirect to re-authentication
    throw new Error('Step-up authentication required');
  }

  // Change password
  const supabase = createClient();
  const { error } = await supabase.auth.updateUser({
    password: newPassword
  });

  if (!error) {
    recordStepUpAuth(userId);
  }

  return error;
}

7. Authentication Error Handling#

// lib/auth-errors.ts
export function getAuthErrorMessage(error: any): string {
  const errorCode = error?.code || error?.message;

  const messages: Record<string, string> = {
    'invalid_credentials': 'Invalid email or password',
    'user_not_found': 'User not found',
    'email_not_confirmed': 'Please confirm your email',
    'weak_password': 'Password is too weak',
    'user_already_exists': 'User already exists',
    'over_request_rate_limit': 'Too many requests. Please try again later',
    'session_not_found': 'Session expired. Please log in again',
    'invalid_grant': 'Invalid credentials',
    'invalid_request': 'Invalid request'
  };

  return messages[errorCode] || 'An authentication error occurred';
}

// Usage
async function handleLogin(email: string, password: string) {
  const supabase = createClient();

  const { error } = await supabase.auth.signInWithPassword({
    email,
    password
  });

  if (error) {
    const message = getAuthErrorMessage(error);
    console.error(message);
    return { error: message };
  }

  return { success: true };
}

8. Authentication Best Practices Checklist#

✅ Use HTTPS in production
✅ Store tokens in httpOnly cookies
✅ Implement token refresh logic
✅ Use strong password requirements
✅ Implement rate limiting on auth endpoints
✅ Enable MFA for sensitive accounts
✅ Log authentication events
✅ Implement step-up authentication for sensitive operations
✅ Use OAuth for consumer apps
✅ Implement SAML for enterprise customers
✅ Handle authentication errors gracefully
✅ Implement account linking
✅ Regular security audits

Conclusion#

Advanced authentication patterns enable you to build secure, scalable applications that meet diverse user and business requirements. Start with basic OAuth for consumer apps, add passwordless authentication for better UX, and implement enterprise features like SAML for B2B customers.

Remember: authentication is the foundation of security. Invest time in getting it right, and your users will thank you with their trust.

Advanced Authentication Patterns with Next.js and Supabase

Advanced Authentication Patterns with Next.js and Supabase#

Authentication Fundamentals#

1. OAuth 2.0 Implementation#

Configuring OAuth Providers#

Implementing OAuth Sign-In#

OAuth Callback Handler#

Account Linking#

2. Passwordless Authentication#

Magic Link Authentication#

One-Time Password (OTP)#

3. Custom JWT Implementation#

Using Custom Claims in Middleware#

4. Multi-Tenant Authentication#

Multi-Tenant Middleware#

5. Enterprise SSO (SAML)#

6. Step-Up Authentication#

7. Authentication Error Handling#

8. Authentication Best Practices Checklist#

Related Articles#

Conclusion#

Frequently Asked Questions

What is the difference between OAuth and custom authentication?

How do I implement passwordless authentication?

What is JWT and how does it work?

How do I implement multi-tenant authentication?

What is SAML and when should I use it?

How do I refresh JWT tokens?

How do I implement custom claims in JWT?

What is the difference between authentication and authorization?

How do I implement social login with multiple providers?

How do I handle authentication errors gracefully?

What is account linking and how do I implement it?

How do I implement step-up authentication?