feat: handle oauth-protected-resource for edge functions

[Rodriguespn]

What kind of change does this PR introduce?

Feature - Enables local development and testing of OAuth-protected Edge Functions (like MCP servers).

What is the current behavior?

When building OAuth-protected Edge Functions locally, there's no way for OAuth clients to discover the authorization server for a protected Edge Function resource via the standard /.well-known/oauth-protected-resource path.

Per RFC 9728, OAuth clients should be able to discover the authorization server by fetching:

/.well-known/oauth-protected-resource/<resource-path>

This wasn't possible for Edge Functions running locally.

What is the new behavior?

OAuth Protected Resource Metadata Endpoint

Added a Kong route that redirects OAuth protected resource discovery requests to the appropriate Edge Function:

/.well-known/oauth-protected-resource/functions/v1/<function-name>
  → /<function-name>/.well-known/oauth-protected-resource

This enables OAuth clients to discover the authorization server for any Edge Function per RFC 9728.

Example Edge Function implementation:

const supabaseUrl = Deno.env.get('SUPABASE_URL')!
const publicUrl = Deno.env.get('PUBLIC_URL') || `${supabaseUrl}/functions/v1/my-function`
const authServerUrl = Deno.env.get('AUTH_SERVER_URL') || `${supabaseUrl}/auth/v1`

app.get('/.well-known/oauth-protected-resource', (c) => {
  return c.json({
    resource: publicUrl,
    authorization_servers: [authServerUrl],
    scopes_supported: ['openid', 'profile', 'email'],
  })
})

Edge Functions can use custom environment variables (PUBLIC_URL, AUTH_SERVER_URL) passed via supabase functions serve --env-file to override URLs for local development.

Testing

# Start local Supabase
supabase start

# Serve your Edge Function
supabase functions serve my-oauth-function --env-file .env.local

# Test the OAuth protected resource discovery
curl http://127.0.0.1:54321/.well-known/oauth-protected-resource/functions/v1/my-oauth-function

Related issue: https://linear.app/supabase/issue/AI-311/add-oauth-authentication-section-to-byom-one-pager-docs

Should close #4322 @cemalkilic

[coveralls]

Pull Request Test Coverage Report for Build 20369862521

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 1 of 1 (100.0%) changed or added relevant line in 1 file are covered.
• 68 unchanged lines in 6 files lost coverage.
• Overall coverage decreased (-0.2%) to 56.046%

---

Files with Coverage Reduction	New Missed Lines	%
internal/gen/types/types.go	1	97.53%
internal/gen/keys/keys.go	5	12.9%
cmd/gen.go	9	0.0%
internal/functions/new/new.go	12	68.18%
cmd/init.go	19	0.0%
internal/init/init.go	22	78.9%

Totals
Change from base Build 20098526635:	-0.2%
Covered Lines:	6813
Relevant Lines:	12156

---

💛 - Coveralls

decided to go with www-authenticate header instead