Add a command for removing a registration (microsoft#249765)

* Add a command for removing a registration

And move code that needs to be moved into its own service to get this to work

* fix tests

Author: TylerLeonhardt

src/vs/workbench/api/browser/mainThreadAuthentication.ts

@@ -23,10 +23,9 @@ import { CancellationError } from '../../../base/common/errors.js';
 import { ILogService } from '../../../platform/log/common/log.js';
 import { ExtensionHostKind } from '../../services/extensions/common/extensionHostKind.js';
 import { IURLService } from '../../../platform/url/common/url.js';
-import { DeferredPromise, Queue, raceTimeout } from '../../../base/common/async.js';
-import { ISecretStorageService } from '../../../platform/secrets/common/secrets.js';
-import { IAuthorizationTokenResponse, isAuthorizationTokenResponse } from '../../../base/common/oauth.js';
-import { IStorageService, StorageScope, StorageTarget } from '../../../platform/storage/common/storage.js';
+import { DeferredPromise, raceTimeout } from '../../../base/common/async.js';
+import { IAuthorizationTokenResponse } from '../../../base/common/oauth.js';
+import { IDynamicAuthenticationProviderStorageService } from '../../services/authentication/common/dynamicAuthenticationProviderStorage.js';
 
 export interface AuthenticationInteractiveOptions {
 	detail?: string;
@@ -94,8 +93,7 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 		@IOpenerService private readonly openerService: IOpenerService,
 		@ILogService private readonly logService: ILogService,
 		@IURLService private readonly urlService: IURLService,
-		@ISecretStorageService private readonly secretStorageService: ISecretStorageService,
-		@IStorageService private readonly storageService: IStorageService,
+		@IDynamicAuthenticationProviderStorageService private readonly dynamicAuthProviderStorageService: IDynamicAuthenticationProviderStorageService,
 	) {
 		super();
 		this._proxy = extHostContext.getProxy(ExtHostContext.ExtHostAuthentication);
@@ -107,33 +105,24 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 			const providerInfo = this.authenticationService.getProvider(e.providerId);
 			this._proxy.$onDidChangeAuthenticationSessions(providerInfo.id, providerInfo.label, e.extensionIds);
 		}));
+
+		// Listen for dynamic authentication provider token changes
+		this._register(this.dynamicAuthProviderStorageService.onDidChangeTokens(e => {
+			this._proxy.$onDidChangeDynamicAuthProviderTokens(e.authProviderId, e.clientId, e.tokens);
+		}));
+
 		this._register(authenticationService.registerAuthenticationProviderHostDelegate({
 			// Prefer Node.js extension hosts when they're available. No CORS issues etc.
 			priority: extHostContext.extensionHostKind === ExtensionHostKind.LocalWebWorker ? 0 : 1,
 			create: async (serverMetadata) => {
-				const clientId = storageService.get(`dynamicAuthClientId/${serverMetadata.issuer}`, StorageScope.APPLICATION, undefined);
+				const clientId = this.dynamicAuthProviderStorageService.getClientId(serverMetadata.issuer);
 				let initialTokens: (IAuthorizationTokenResponse & { created_at: number })[] | undefined = undefined;
 				if (clientId) {
-					initialTokens = await this._getSessionsForDynamicAuthProvider(serverMetadata.issuer, clientId);
+					initialTokens = await this.dynamicAuthProviderStorageService.getSessionsForDynamicAuthProvider(serverMetadata.issuer, clientId);
 				}
 				return this._proxy.$registerDynamicAuthProvider(serverMetadata, clientId, initialTokens);
 			}
 		}));
-		const queue = new Queue<void>();
-		this._register(this.secretStorageService.onDidChangeSecret(async key => {
-			let payload: { isDynamicAuthProvider: boolean; authProviderId: string; clientId: string } | undefined;
-			try {
-				payload = JSON.parse(key);
-			} catch (error) {
-				// Ignore errors... must not be a dynamic auth provider
-			}
-			if (payload?.isDynamicAuthProvider) {
-				void queue.queue(async () => {
-					const tokens = await this._getSessionsForDynamicAuthProvider(payload.authProviderId, payload.clientId);
-					this._proxy.$onDidChangeDynamicAuthProviderTokens(payload.authProviderId, payload.clientId, tokens);
-				});
-			}
-		}));
 	}
 
 	async $registerAuthenticationProvider(id: string, label: string, supportsMultipleAccounts: boolean, supportedIssuers: UriComponents[] = []): Promise<void> {
@@ -197,29 +186,11 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 
 	async $registerDynamicAuthenticationProvider(id: string, label: string, issuer: UriComponents, clientId: string): Promise<void> {
 		await this.$registerAuthenticationProvider(id, label, false, [issuer]);
-		this.storageService.store(`dynamicAuthClientId/${id}`, clientId, StorageScope.APPLICATION, StorageTarget.MACHINE);
-	}
-
-	private async _getSessionsForDynamicAuthProvider(authProviderId: string, clientId: string): Promise<(IAuthorizationTokenResponse & { created_at: number })[] | undefined> {
-		const key = JSON.stringify({ isDynamicAuthProvider: true, authProviderId, clientId });
-		const value = await this.secretStorageService.get(key);
-		if (value) {
-			const parsed = JSON.parse(value);
-			if (!Array.isArray(parsed) || !parsed.every((t) => typeof t.created_at === 'number' && isAuthorizationTokenResponse(t))) {
-				this.logService.error(`Invalid session data for ${authProviderId} (${clientId}) in secret storage:`, parsed);
-				this.secretStorageService.delete(key);
-				return undefined;
-			}
-			return parsed;
-		}
-		return undefined;
+		this.dynamicAuthProviderStorageService.storeClientId(id, clientId, label, URI.revive(issuer).toString());
 	}
 
 	async $setSessionsForDynamicAuthProvider(authProviderId: string, clientId: string, sessions: (IAuthorizationTokenResponse & { created_at: number })[]): Promise<void> {
-		const key = JSON.stringify({ isDynamicAuthProvider: true, authProviderId, clientId });
-		const value = JSON.stringify(sessions);
-		await this.secretStorageService.set(key, value);
-		this.logService.trace(`Set session data for ${authProviderId} (${clientId}) in secret storage:`, sessions);
+		await this.dynamicAuthProviderStorageService.setSessionsForDynamicAuthProvider(authProviderId, clientId, sessions);
 	}
 
 	private async loginPrompt(provider: IAuthenticationProvider, extensionName: string, recreatingSession: boolean, options?: AuthenticationInteractiveOptions): Promise<boolean> {

src/vs/workbench/api/test/browser/extHostAuthentication.integrationTest.ts

@@ -41,6 +41,8 @@ import { IUserActivityService, UserActivityService } from '../../../services/use
 import { ExtHostUrls } from '../../common/extHostUrls.js';
 import { ISecretStorageService } from '../../../../platform/secrets/common/secrets.js';
 import { TestSecretStorageService } from '../../../../platform/secrets/test/common/testSecretStorageService.js';
+import { IDynamicAuthenticationProviderStorageService } from '../../../services/authentication/common/dynamicAuthenticationProviderStorage.js';
+import { DynamicAuthenticationProviderStorageService } from '../../../services/authentication/browser/dynamicAuthenticationProviderStorageService.js';
 
 class AuthQuickPick {
 	private listener: ((e: IQuickPickDidAcceptEvent) => any) | undefined;
@@ -119,6 +121,7 @@ suite('ExtHostAuthentication', () => {
 		instantiationService.stub(IDialogService, new TestDialogService({ confirmed: true }));
 		instantiationService.stub(IStorageService, new TestStorageService());
 		instantiationService.stub(ISecretStorageService, new TestSecretStorageService());
+		instantiationService.stub(IDynamicAuthenticationProviderStorageService, instantiationService.createInstance(DynamicAuthenticationProviderStorageService));
 		instantiationService.stub(IQuickInputService, new AuthTestQuickInputService());
 		instantiationService.stub(IExtensionService, new TestExtensionService());
 

src/vs/workbench/contrib/authentication/browser/actions/manageDynamicAuthenticationProvidersAction.ts

@@ -0,0 +1,92 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import { localize, localize2 } from '../../../../../nls.js';
+import { Action2 } from '../../../../../platform/actions/common/actions.js';
+import { ServicesAccessor } from '../../../../../platform/instantiation/common/instantiation.js';
+import { IQuickInputService, IQuickPickItem } from '../../../../../platform/quickinput/common/quickInput.js';
+import { IDynamicAuthenticationProviderStorageService, DynamicAuthenticationProviderInfo } from '../../../../services/authentication/common/dynamicAuthenticationProviderStorage.js';
+import { IAuthenticationService } from '../../../../services/authentication/common/authentication.js';
+import { IDialogService } from '../../../../../platform/dialogs/common/dialogs.js';
+
+interface IDynamicProviderQuickPickItem extends IQuickPickItem {
+	provider: DynamicAuthenticationProviderInfo;
+}
+
+export class RemoveDynamicAuthenticationProvidersAction extends Action2 {
+
+	static readonly ID = 'workbench.action.removeDynamicAuthenticationProviders';
+
+	constructor() {
+		super({
+			id: RemoveDynamicAuthenticationProvidersAction.ID,
+			title: localize2('removeDynamicAuthProviders', 'Remove Dynamic Authentication Providers'),
+			category: localize2('authenticationCategory', 'Authentication'),
+			f1: true
+		});
+	}
+
+	async run(accessor: ServicesAccessor): Promise<void> {
+		const quickInputService = accessor.get(IQuickInputService);
+		const dynamicAuthStorageService = accessor.get(IDynamicAuthenticationProviderStorageService);
+		const authenticationService = accessor.get(IAuthenticationService);
+		const dialogService = accessor.get(IDialogService);
+
+		const interactedProviders = dynamicAuthStorageService.getInteractedProviders();
+
+		if (interactedProviders.length === 0) {
+			await dialogService.info(
+				localize('noDynamicProviders', 'No dynamic authentication providers'),
+				localize('noDynamicProvidersDetail', 'No dynamic authentication providers have been used yet.')
+			);
+			return;
+		}
+
+		const items: IDynamicProviderQuickPickItem[] = interactedProviders.map(provider => ({
+			label: provider.label,
+			description: localize('clientId', 'Client ID: {0}', provider.clientId),
+			provider
+		}));
+
+		const selected = await quickInputService.pick(items, {
+			placeHolder: localize('selectProviderToRemove', 'Select a dynamic authentication provider to remove'),
+			canPickMany: true
+		});
+
+		if (!selected || selected.length === 0) {
+			return;
+		}
+
+		// Confirm deletion
+		const providerNames = selected.map(item => item.provider.label).join(', ');
+		const message = selected.length === 1
+			? localize('confirmDeleteSingleProvider', 'Are you sure you want to remove the dynamic authentication provider "{0}"?', providerNames)
+			: localize('confirmDeleteMultipleProviders', 'Are you sure you want to remove {0} dynamic authentication providers: {1}?', selected.length, providerNames);
+
+		const result = await dialogService.confirm({
+			message,
+			detail: localize('confirmDeleteDetail', 'This will remove all stored authentication data for the selected provider(s). You will need to re-authenticate if you use these providers again.'),
+			primaryButton: localize('remove', 'Remove'),
+			type: 'warning'
+		});
+
+		if (!result.confirmed) {
+			return;
+		}
+
+		// Remove the selected providers
+		for (const item of selected) {
+			const providerId = item.provider.providerId;
+
+			// Unregister from authentication service if still registered
+			if (authenticationService.isAuthenticationProviderRegistered(providerId)) {
+				authenticationService.unregisterAuthenticationProvider(providerId);
+			}
+
+			// Remove from dynamic storage service
+			await dynamicAuthStorageService.removeDynamicProvider(providerId);
+		}
+	}
+}

src/vs/workbench/contrib/authentication/browser/authentication.contribution.ts

@@ -21,6 +21,7 @@ import { ManageAccountPreferencesForExtensionAction } from './actions/manageAcco
 import { IAuthenticationUsageService } from '../../../services/authentication/browser/authenticationUsageService.js';
 import { ManageAccountPreferencesForMcpServerAction } from './actions/manageAccountPreferencesForMcpServerAction.js';
 import { ManageTrustedMcpServersForAccountAction } from './actions/manageTrustedMcpServersForAccountAction.js';
+import { RemoveDynamicAuthenticationProvidersAction } from './actions/manageDynamicAuthenticationProvidersAction.js';
 
 const codeExchangeProxyCommand = CommandsRegistry.registerCommand('workbench.getCodeExchangeProxyEndpoints', function (accessor, _) {
 	const environmentService = accessor.get(IBrowserWorkbenchEnvironmentService);
@@ -123,6 +124,7 @@ class AuthenticationContribution extends Disposable implements IWorkbenchContrib
 		this._register(registerAction2(ManageAccountPreferencesForExtensionAction));
 		this._register(registerAction2(ManageTrustedMcpServersForAccountAction));
 		this._register(registerAction2(ManageAccountPreferencesForMcpServerAction));
+		this._register(registerAction2(RemoveDynamicAuthenticationProvidersAction));
 	}
 
 	private _clearPlaceholderMenuItem(): void {

src/vs/workbench/services/authentication/browser/dynamicAuthenticationProviderStorageService.ts

@@ -0,0 +1,154 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import { IStorageService, StorageScope, StorageTarget } from '../../../../platform/storage/common/storage.js';
+import { InstantiationType, registerSingleton } from '../../../../platform/instantiation/common/extensions.js';
+import { IDynamicAuthenticationProviderStorageService, DynamicAuthenticationProviderInfo, DynamicAuthenticationProviderTokensChangeEvent } from '../common/dynamicAuthenticationProviderStorage.js';
+import { ISecretStorageService } from '../../../../platform/secrets/common/secrets.js';
+import { IAuthorizationTokenResponse, isAuthorizationTokenResponse } from '../../../../base/common/oauth.js';
+import { ILogService } from '../../../../platform/log/common/log.js';
+import { Emitter, Event } from '../../../../base/common/event.js';
+import { Disposable } from '../../../../base/common/lifecycle.js';
+import { Queue } from '../../../../base/common/async.js';
+
+export class DynamicAuthenticationProviderStorageService extends Disposable implements IDynamicAuthenticationProviderStorageService {
+	declare readonly _serviceBrand: undefined;
+
+	private static readonly PROVIDERS_STORAGE_KEY = 'dynamicAuthProviders';
+
+	private readonly _onDidChangeTokens = this._register(new Emitter<DynamicAuthenticationProviderTokensChangeEvent>());
+	readonly onDidChangeTokens: Event<DynamicAuthenticationProviderTokensChangeEvent> = this._onDidChangeTokens.event;
+
+	constructor(
+		@IStorageService private readonly storageService: IStorageService,
+		@ISecretStorageService private readonly secretStorageService: ISecretStorageService,
+		@ILogService private readonly logService: ILogService
+	) {
+		super();
+
+		// Listen for secret storage changes and emit events for dynamic auth provider token changes
+		const queue = new Queue<void>();
+		this._register(this.secretStorageService.onDidChangeSecret(async (key: string) => {
+			let payload: { isDynamicAuthProvider: boolean; authProviderId: string; clientId: string } | undefined;
+			try {
+				payload = JSON.parse(key);
+			} catch (error) {
+				// Ignore errors... must not be a dynamic auth provider
+			}
+			if (payload?.isDynamicAuthProvider) {
+				void queue.queue(async () => {
+					const tokens = await this.getSessionsForDynamicAuthProvider(payload.authProviderId, payload.clientId);
+					this._onDidChangeTokens.fire({
+						authProviderId: payload.authProviderId,
+						clientId: payload.clientId,
+						tokens
+					});
+				});
+			}
+		}));
+	}
+
+	getClientId(providerId: string): string | undefined {
+		const providers = this._getStoredProviders();
+		const provider = providers.find(p => p.providerId === providerId);
+		return provider?.clientId;
+	}
+
+	storeClientId(providerId: string, clientId: string, label?: string, issuer?: string): void {
+		// Store provider information in single location
+		this._trackProvider(providerId, clientId, label, issuer);
+	}
+
+	private _trackProvider(providerId: string, clientId: string, label?: string, issuer?: string): void {
+		const providers = this._getStoredProviders();
+
+		// Check if provider already exists
+		const existingProviderIndex = providers.findIndex(p => p.providerId === providerId);
+		if (existingProviderIndex === -1) {
+			// Add new provider with provided or default info
+			const newProvider: DynamicAuthenticationProviderInfo = {
+				providerId,
+				label: label || providerId, // Use provided label or providerId as default
+				issuer: issuer || providerId, // Use provided issuer or providerId as default
+				clientId
+			};
+			providers.push(newProvider);
+			this._storeProviders(providers);
+		} else {
+			const existingProvider = providers[existingProviderIndex];
+			// Create new provider object with updated info
+			const updatedProvider: DynamicAuthenticationProviderInfo = {
+				providerId,
+				label: label || existingProvider.label,
+				issuer: issuer || existingProvider.issuer,
+				clientId
+			};
+			providers[existingProviderIndex] = updatedProvider;
+			this._storeProviders(providers);
+		}
+	}
+
+	private _getStoredProviders(): DynamicAuthenticationProviderInfo[] {
+		const stored = this.storageService.get(DynamicAuthenticationProviderStorageService.PROVIDERS_STORAGE_KEY, StorageScope.APPLICATION, '[]');
+		try {
+			return JSON.parse(stored);
+		} catch {
+			return [];
+		}
+	}
+
+	private _storeProviders(providers: DynamicAuthenticationProviderInfo[]): void {
+		this.storageService.store(
+			DynamicAuthenticationProviderStorageService.PROVIDERS_STORAGE_KEY,
+			JSON.stringify(providers),
+			StorageScope.APPLICATION,
+			StorageTarget.MACHINE
+		);
+	}
+
+	getInteractedProviders(): ReadonlyArray<DynamicAuthenticationProviderInfo> {
+		return this._getStoredProviders();
+	}
+
+	async removeDynamicProvider(providerId: string): Promise<void> {
+		// Get provider info before removal for secret cleanup
+		const providers = this._getStoredProviders();
+		const providerInfo = providers.find(p => p.providerId === providerId);
+
+		// Remove from stored providers
+		const filteredProviders = providers.filter(p => p.providerId !== providerId);
+		this._storeProviders(filteredProviders);
+
+		// Remove sessions from secret storage if we have the provider info
+		if (providerInfo) {
+			const secretKey = JSON.stringify({ isDynamicAuthProvider: true, authProviderId: providerId, clientId: providerInfo.clientId });
+			await this.secretStorageService.delete(secretKey);
+		}
+	}
+
+	async getSessionsForDynamicAuthProvider(authProviderId: string, clientId: string): Promise<(IAuthorizationTokenResponse & { created_at: number })[] | undefined> {
+		const key = JSON.stringify({ isDynamicAuthProvider: true, authProviderId, clientId });
+		const value = await this.secretStorageService.get(key);
+		if (value) {
+			const parsed = JSON.parse(value);
+			if (!Array.isArray(parsed) || !parsed.every((t) => typeof t.created_at === 'number' && isAuthorizationTokenResponse(t))) {
+				this.logService.error(`Invalid session data for ${authProviderId} (${clientId}) in secret storage:`, parsed);
+				await this.secretStorageService.delete(key);
+				return undefined;
+			}
+			return parsed;
+		}
+		return undefined;
+	}
+
+	async setSessionsForDynamicAuthProvider(authProviderId: string, clientId: string, sessions: (IAuthorizationTokenResponse & { created_at: number })[]): Promise<void> {
+		const key = JSON.stringify({ isDynamicAuthProvider: true, authProviderId, clientId });
+		const value = JSON.stringify(sessions);
+		await this.secretStorageService.set(key, value);
+		this.logService.trace(`Set session data for ${authProviderId} (${clientId}) in secret storage:`, sessions);
+	}
+}
+
+registerSingleton(IDynamicAuthenticationProviderStorageService, DynamicAuthenticationProviderStorageService, InstantiationType.Delayed);