Add OAuth 2.1 authentication support

Implements OAuth 2.1 with PKCE as an alternative authentication method
to session tokens. When connecting to a Coder deployment that supports
OAuth, users can choose between OAuth and legacy token authentication.

Key changes:

OAuth Flow:
- Add OAuthSessionManager to handle the complete OAuth lifecycle: dynamic
  client registration, PKCE authorization flow, token exchange, automatic
  refresh, and revocation
- Add OAuthMetadataClient to discover and validate OAuth server metadata
  from the well-known endpoint, ensuring server meets OAuth 2.1 requirements
- Handle OAuth callbacks via vscode:// URI handler with cross-window
  support for when callback arrives in a different VS Code window

Token Management:
- Store OAuth tokens (access, refresh, expiry) per-deployment in secrets
- Store dynamic client registrations per-deployment in secrets
- Proactive token refresh when approaching expiry (via response interceptor)
- Reactive token refresh on 401 responses with automatic request retry
- Handle OAuth errors (invalid_grant, invalid_client) by prompting for
  re-authentication

Integration:
- Add auth method selection prompt when server supports OAuth
- Attach OAuth interceptors to CoderApi for automatic token refresh
- Clear OAuth state when user explicitly chooses token auth
- DeploymentManager coordinates OAuth session state with deployment changes

Error Handling:
- Typed OAuth error classes (InvalidGrantError, InvalidClientError, etc.)
- Parse OAuth error responses from token endpoint
- Show re-authentication modal for errors requiring user action

Author: EhabY

src/api/oauthInterceptors.ts

@@ -0,0 +1,116 @@
+import { type AxiosError, isAxiosError } from "axios";
+
+import { type Logger } from "../logging/logger";
+import { type RequestConfigWithMeta } from "../logging/types";
+import { parseOAuthError, requiresReAuthentication } from "../oauth/errors";
+import { type OAuthSessionManager } from "../oauth/sessionManager";
+
+import { type CoderApi } from "./coderApi";
+
+const coderSessionTokenHeader = "Coder-Session-Token";
+
+/**
+ * Attach OAuth token refresh interceptors to a CoderApi instance.
+ * This should be called after creating the CoderApi when OAuth authentication is being used.
+ *
+ * Success interceptor: proactively refreshes token when approaching expiry.
+ * Error interceptor: reactively refreshes token on 401 responses.
+ */
+export function attachOAuthInterceptors(
+	client: CoderApi,
+	logger: Logger,
+	oauthSessionManager: OAuthSessionManager,
+): void {
+	client.getAxiosInstance().interceptors.response.use(
+		// Success response interceptor: proactive token refresh
+		(response) => {
+			// Fire-and-forget: don't await, don't block response
+			oauthSessionManager.refreshIfAlmostExpired().catch((error) => {
+				logger.warn("Proactive background token refresh failed:", error);
+			});
+
+			return response;
+		},
+		// Error response interceptor: reactive token refresh on 401
+		async (error: unknown) => {
+			if (!isAxiosError(error)) {
+				throw error;
+			}
+
+			if (error.config) {
+				const config = error.config as {
+					_oauthRetryAttempted?: boolean;
+				};
+				if (config._oauthRetryAttempted) {
+					throw error;
+				}
+			}
+
+			const status = error.response?.status;
+
+			// These could indicate permanent auth failures that won't be fixed by token refresh
+			if (status === 400 || status === 403) {
+				handlePossibleOAuthError(error, logger, oauthSessionManager);
+				throw error;
+			} else if (status === 401) {
+				return handle401Error(error, client, logger, oauthSessionManager);
+			}
+
+			throw error;
+		},
+	);
+}
+
+function handlePossibleOAuthError(
+	error: unknown,
+	logger: Logger,
+	oauthSessionManager: OAuthSessionManager,
+): void {
+	const oauthError = parseOAuthError(error);
+	if (oauthError && requiresReAuthentication(oauthError)) {
+		logger.error(
+			`OAuth error requires re-authentication: ${oauthError.errorCode}`,
+		);
+
+		oauthSessionManager.showReAuthenticationModal(oauthError).catch((err) => {
+			logger.error("Failed to show re-auth modal:", err);
+		});
+	}
+}
+
+async function handle401Error(
+	error: AxiosError,
+	client: CoderApi,
+	logger: Logger,
+	oauthSessionManager: OAuthSessionManager,
+): Promise<void> {
+	if (!oauthSessionManager.isLoggedInWithOAuth()) {
+		throw error;
+	}
+
+	logger.info("Received 401 response, attempting token refresh");
+
+	try {
+		const newTokens = await oauthSessionManager.refreshToken();
+		client.setSessionToken(newTokens.access_token);
+
+		logger.info("Token refresh successful, retrying request");
+
+		// Retry the original request with the new token
+		if (error.config) {
+			const config = error.config as RequestConfigWithMeta & {
+				_oauthRetryAttempted?: boolean;
+			};
+			config._oauthRetryAttempted = true;
+			config.headers[coderSessionTokenHeader] = newTokens.access_token;
+			return client.getAxiosInstance().request(config);
+		}
+
+		throw error;
+	} catch (refreshError) {
+		logger.error("Token refresh failed:", refreshError);
+
+		handlePossibleOAuthError(refreshError, logger, oauthSessionManager);
+		throw error;
+	}
+}

src/commands.ts

@@ -17,6 +17,7 @@ import { CertificateError } from "./error";
 import { getGlobalFlags } from "./globalFlags";
 import { type Logger } from "./logging/logger";
 import { type LoginCoordinator } from "./login/loginCoordinator";
+import { type OAuthSessionManager } from "./oauth/sessionManager";
 import { maybeAskAgent, maybeAskUrl } from "./promptUtils";
 import { escapeCommandArg, toRemoteAuthority, toSafeHost } from "./util";
 import {
@@ -49,6 +50,7 @@ export class Commands {
 	public constructor(
 		serviceContainer: ServiceContainer,
 		private readonly extensionClient: CoderApi,
+		private readonly oauthSessionManager: OAuthSessionManager,
 		private readonly deploymentManager: DeploymentManager,
 	) {
 		this.vscodeProposed = serviceContainer.getVsCodeProposed();
@@ -107,6 +109,7 @@ export class Commands {
 			label,
 			url,
 			autoLogin: args?.autoLogin,
+			oauthSessionManager: this.oauthSessionManager,
 		});
 
 		if (!result.success || !result.user || result.token === undefined) {

src/core/secretsManager.ts

@@ -3,10 +3,14 @@ import { toSafeHost } from "../util";
 import type { Memento, SecretStorage, Disposable } from "vscode";
 
 import type { Deployment } from "../deployment";
+import type { TokenResponse, ClientRegistrationResponse } from "../oauth/types";
 
 const SESSION_KEY_PREFIX = "coder.session.";
+const OAUTH_TOKENS_PREFIX = "coder.oauth.tokens.";
+const OAUTH_CLIENT_PREFIX = "coder.oauth.client.";
 
 const CURRENT_DEPLOYMENT_KEY = "coder.currentDeployment";
+const OAUTH_CALLBACK_KEY = "coder.oauthCallback";
 
 const DEPLOYMENT_USAGE_KEY = "coder.deploymentUsage";
 const DEFAULT_MAX_DEPLOYMENTS = 10;
@@ -18,11 +22,22 @@ export interface DeploymentUsage {
 	lastAccessedAt: string;
 }
 
+export type StoredOAuthTokens = Omit<TokenResponse, "expires_in"> & {
+	expiry_timestamp: number;
+	deployment_url: string;
+};
+
 export interface SessionAuth {
 	url: string;
 	token: string;
 }
 
+interface OAuthCallbackData {
+	state: string;
+	code: string | null;
+	error: string | null;
+}
+
 export interface CurrentDeploymentState {
 	deployment: Deployment | null;
 }
@@ -89,6 +104,38 @@ export class SecretsManager {
 		});
 	}
 
+	/**
+	 * Write an OAuth callback result to secrets storage.
+	 * Used for cross-window communication when OAuth callback arrives in a different window.
+	 */
+	public async setOAuthCallback(data: OAuthCallbackData): Promise<void> {
+		await this.secrets.store(OAUTH_CALLBACK_KEY, JSON.stringify(data));
+	}
+
+	/**
+	 * Listen for OAuth callback results from any VS Code window.
+	 * The listener receives the state parameter, code (if success), and error (if failed).
+	 */
+	public onDidChangeOAuthCallback(
+		listener: (data: OAuthCallbackData) => void,
+	): Disposable {
+		return this.secrets.onDidChange(async (e) => {
+			if (e.key !== OAUTH_CALLBACK_KEY) {
+				return;
+			}
+
+			try {
+				const data = await this.secrets.get(OAUTH_CALLBACK_KEY);
+				if (data) {
+					const parsed = JSON.parse(data) as OAuthCallbackData;
+					listener(parsed);
+				}
+			} catch {
+				// Ignore parse errors
+			}
+		});
+	}
+
 	/**
 	 * Listen for changes to a specific deployment's session auth.
 	 */
@@ -144,6 +191,71 @@ export class SecretsManager {
 		await this.secrets.delete(`${SESSION_KEY_PREFIX}${label}`);
 	}
 
+	public async getOAuthTokens(
+		label: string,
+	): Promise<StoredOAuthTokens | undefined> {
+		try {
+			const data = await this.secrets.get(`${OAUTH_TOKENS_PREFIX}${label}`);
+			if (!data) {
+				return undefined;
+			}
+			return JSON.parse(data) as StoredOAuthTokens;
+		} catch {
+			return undefined;
+		}
+	}
+
+	public async setOAuthTokens(
+		label: string,
+		tokens: StoredOAuthTokens,
+	): Promise<void> {
+		await this.secrets.store(
+			`${OAUTH_TOKENS_PREFIX}${label}`,
+			JSON.stringify(tokens),
+		);
+		await this.recordDeploymentAccess(label);
+	}
+
+	public async clearOAuthTokens(label: string): Promise<void> {
+		await this.secrets.delete(`${OAUTH_TOKENS_PREFIX}${label}`);
+	}
+
+	public async getOAuthClientRegistration(
+		label: string,
+	): Promise<ClientRegistrationResponse | undefined> {
+		try {
+			const data = await this.secrets.get(`${OAUTH_CLIENT_PREFIX}${label}`);
+			if (!data) {
+				return undefined;
+			}
+			return JSON.parse(data) as ClientRegistrationResponse;
+		} catch {
+			return undefined;
+		}
+	}
+
+	public async setOAuthClientRegistration(
+		label: string,
+		registration: ClientRegistrationResponse,
+	): Promise<void> {
+		await this.secrets.store(
+			`${OAUTH_CLIENT_PREFIX}${label}`,
+			JSON.stringify(registration),
+		);
+		await this.recordDeploymentAccess(label);
+	}
+
+	public async clearOAuthClientRegistration(label: string): Promise<void> {
+		await this.secrets.delete(`${OAUTH_CLIENT_PREFIX}${label}`);
+	}
+
+	public async clearOAuthData(label: string): Promise<void> {
+		await Promise.all([
+			this.clearOAuthTokens(label),
+			this.clearOAuthClientRegistration(label),
+		]);
+	}
+
 	/**
 	 * Record that a deployment was accessed, moving it to the front of the LRU list.
 	 * Prunes deployments beyond maxCount, clearing their auth data.
@@ -167,7 +279,10 @@ export class SecretsManager {
 	 * Clear all auth data for a deployment and remove it from the usage list.
 	 */
 	public async clearAllAuthData(label: string): Promise<void> {
-		await this.clearSessionAuth(label);
+		await Promise.all([
+			this.clearSessionAuth(label),
+			this.clearOAuthData(label),
+		]);
 		const usage = this.getDeploymentUsage().filter((u) => u.label !== label);
 		await this.memento.update(DEPLOYMENT_USAGE_KEY, usage);
 	}

src/deployment/deploymentManager.ts

@@ -4,6 +4,7 @@ import { type ContextManager } from "../core/contextManager";
 import { type MementoManager } from "../core/mementoManager";
 import { type SecretsManager } from "../core/secretsManager";
 import { type Logger } from "../logging/logger";
+import { type OAuthSessionManager } from "../oauth/sessionManager";
 import { type WorkspaceProvider } from "../workspace/workspacesProvider";
 
 import {
@@ -21,6 +22,7 @@ import type * as vscode from "vscode";
  * Centralizes:
  * - In-memory deployment state (url, label, token, user)
  * - Client credential updates
+ * - OAuth session management
  * - Auth listener registration
  * - Context updates (coder.authenticated, coder.isOwner)
  * - Workspace provider refresh
@@ -39,6 +41,7 @@ export class DeploymentManager implements vscode.Disposable {
 	private constructor(
 		serviceContainer: ServiceContainer,
 		private readonly client: CoderApi,
+		private readonly oauthSessionManager: OAuthSessionManager,
 		private readonly workspaceProviders: WorkspaceProvider[],
 	) {
 		this.secretsManager = serviceContainer.getSecretsManager();
@@ -50,11 +53,13 @@ export class DeploymentManager implements vscode.Disposable {
 	public static create(
 		serviceContainer: ServiceContainer,
 		client: CoderApi,
+		oauthSessionManager: OAuthSessionManager,
 		workspaceProviders: WorkspaceProvider[],
 	): DeploymentManager {
 		const manager = new DeploymentManager(
 			serviceContainer,
 			client,
+			oauthSessionManager,
 			workspaceProviders,
 		);
 		manager.subscribeToCrossWindowChanges();
@@ -82,7 +87,7 @@ export class DeploymentManager implements vscode.Disposable {
 	public async changeDeployment(
 		deployment: DeploymentWithAuth & { user: User },
 	): Promise<void> {
-		this.setDeploymentCore(deployment);
+		await this.setDeploymentCore(deployment);
 
 		this.refreshWorkspaces();
 		await this.persistDeployment(deployment);
@@ -96,7 +101,12 @@ export class DeploymentManager implements vscode.Disposable {
 	public async setDeploymentWithoutAuth(
 		deployment: Deployment & { token?: string },
 	): Promise<void> {
-		this.setDeploymentCore({ ...deployment });
+		await this.setDeploymentCore({ ...deployment });
+
+		// This can be async since we'll get an auth event if the token is refreshed
+		this.oauthSessionManager.refreshIfAlmostExpired().catch((error) => {
+			this.logger.warn("Setup token refresh failed:", error);
+		});
 
 		await this.tryFetchAndUpgradeUser();
 	}
@@ -106,6 +116,7 @@ export class DeploymentManager implements vscode.Disposable {
 	 */
 	public async logout(): Promise<void> {
 		this.client.setCredentials(undefined, undefined);
+		this.oauthSessionManager.clearDeployment();
 
 		this.authListenerDisposable?.dispose();
 		this.authListenerDisposable = undefined;
@@ -116,12 +127,22 @@ export class DeploymentManager implements vscode.Disposable {
 		await this.secretsManager.setCurrentDeployment(undefined);
 	}
 
-	private setDeploymentCore(deployment: DeploymentWithAuth): void {
+	/**
+	 * Clear OAuth state for a deployment when switching to token auth.
+	 */
+	public async clearOAuthState(label: string): Promise<void> {
+		await this.oauthSessionManager.clearOAuthState(label);
+	}
+
+	private async setDeploymentCore(
+		deployment: DeploymentWithAuth,
+	): Promise<void> {
 		if (deployment.token === undefined) {
 			this.client.setHost(deployment.url);
 		} else {
 			this.client.setCredentials(deployment.url, deployment.token);
 		}
+		await this.oauthSessionManager.setDeployment(deployment);
 		this.registerAuthListener(deployment.label);
 		this.currentDeployment = { ...deployment };
 		this.updateAuthContexts(deployment.user);