Regenerate Client Id when invalid_client is returned (microsoft#252714)

Fixes microsoft#250960

Author: TylerLeonhardt

src/vs/workbench/api/browser/mainThreadAuthentication.ts

@@ -233,6 +233,20 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 		await this.dynamicAuthProviderStorageService.setSessionsForDynamicAuthProvider(authProviderId, clientId, sessions);
 	}
 
+	async $sendDidChangeDynamicProviderInfo({ providerId, clientId, authorizationServer, label }: Partial<{ providerId: string; clientId: string; authorizationServer: UriComponents; label: string }>): Promise<void> {
+		this.logService.info(`Client ID for authentication provider ${providerId} changed to ${clientId}`);
+		const existing = this.dynamicAuthProviderStorageService.getInteractedProviders().find(p => p.providerId === providerId);
+		if (!existing) {
+			throw new Error(`Dynamic authentication provider ${providerId} not found. Has it been registered?`);
+		}
+		this.dynamicAuthProviderStorageService.storeClientId(
+			providerId || existing.providerId,
+			authorizationServer ? URI.revive(authorizationServer).toString(true) : existing.authorizationServer,
+			clientId || existing.clientId,
+			label || existing.label
+		);
+	}
+
 	private async loginPrompt(provider: IAuthenticationProvider, extensionName: string, recreatingSession: boolean, options?: AuthenticationInteractiveOptions): Promise<boolean> {
 		let message: string;
 

src/vs/workbench/api/common/extHost.protocol.ts

@@ -195,6 +195,7 @@ export interface MainThreadAuthenticationShape extends IDisposable {
 	$showDeviceCodeModal(userCode: string, verificationUri: string): Promise<boolean>;
 	$registerDynamicAuthenticationProvider(id: string, label: string, authorizationServer: UriComponents, clientId: string): Promise<void>;
 	$setSessionsForDynamicAuthProvider(authProviderId: string, clientId: string, sessions: (IAuthorizationTokenResponse & { created_at: number })[]): Promise<void>;
+	$sendDidChangeDynamicProviderInfo({ providerId, clientId, authorizationServer, label }: { providerId: string; clientId?: string; authorizationServer?: UriComponents; label?: string }): Promise<void>;
 }
 
 export interface MainThreadSecretStateShape extends IDisposable {

src/vs/workbench/api/common/extHostAuthentication.ts

@@ -13,7 +13,7 @@ import { INTERNAL_AUTH_PROVIDER_PREFIX } from '../../services/authentication/com
 import { createDecorator } from '../../../platform/instantiation/common/instantiation.js';
 import { IExtHostRpcService } from './extHostRpcService.js';
 import { URI, UriComponents } from '../../../base/common/uri.js';
-import { fetchDynamicRegistration, getClaimsFromJWT, IAuthorizationJWTClaims, IAuthorizationProtectedResourceMetadata, IAuthorizationServerMetadata, IAuthorizationTokenResponse, isAuthorizationTokenResponse } from '../../../base/common/oauth.js';
+import { AuthorizationErrorType, fetchDynamicRegistration, getClaimsFromJWT, IAuthorizationJWTClaims, IAuthorizationProtectedResourceMetadata, IAuthorizationServerMetadata, IAuthorizationTokenResponse, isAuthorizationErrorResponse, isAuthorizationTokenResponse } from '../../../base/common/oauth.js';
 import { IExtHostWindow } from './extHostWindow.js';
 import { IExtHostInitDataService } from './extHostInitDataService.js';
 import { ILogger, ILoggerService, ILogService } from '../../../platform/log/common/log.js';
@@ -213,13 +213,19 @@ export class ExtHostAuthentication implements ExtHostAuthenticationShape {
 
 		// Use the sequencer to ensure dynamic provider registration is serialized
 		await this._providerOperations.queue(provider.id, async () => {
-			const disposable = provider.onDidChangeSessions(e => this._proxy.$sendDidChangeSessions(provider.id, e));
 			this._authenticationProviders.set(
 				provider.id,
 				{
 					label: provider.label,
 					provider,
-					disposable: Disposable.from(provider, disposable),
+					disposable: Disposable.from(
+						provider,
+						provider.onDidChangeSessions(e => this._proxy.$sendDidChangeSessions(provider.id, e)),
+						provider.onDidChangeClientId(() => this._proxy.$sendDidChangeDynamicProviderInfo({
+							providerId: provider.id,
+							clientId: provider.clientId
+						}))
+					),
 					options: { supportsMultipleAccounts: false }
 				}
 			);
@@ -256,6 +262,9 @@ export class DynamicAuthProvider implements vscode.AuthenticationProvider {
 	private _onDidChangeSessions = new Emitter<vscode.AuthenticationProviderAuthenticationSessionsChangeEvent>();
 	readonly onDidChangeSessions = this._onDidChangeSessions.event;
 
+	private readonly _onDidChangeClientId = new Emitter<void>();
+	readonly onDidChangeClientId = this._onDidChangeClientId.event;
+
 	private readonly _tokenStore: TokenStore;
 
 	protected readonly _createFlows: Array<{
@@ -276,7 +285,7 @@ export class DynamicAuthProvider implements vscode.AuthenticationProvider {
 		readonly authorizationServer: URI,
 		protected readonly _serverMetadata: IAuthorizationServerMetadata,
 		protected readonly _resourceMetadata: IAuthorizationProtectedResourceMetadata | undefined,
-		readonly clientId: string,
+		protected _clientId: string,
 		onDidDynamicAuthProviderTokensChange: Emitter<{ authProviderId: string; clientId: string; tokens: IAuthorizationToken[] }>,
 		initialTokens: IAuthorizationToken[],
 	) {
@@ -292,7 +301,7 @@ export class DynamicAuthProvider implements vscode.AuthenticationProvider {
 		this._disposable = new DisposableStore();
 		this._disposable.add(this._onDidChangeSessions);
 		const scopedEvent = Event.chain(onDidDynamicAuthProviderTokensChange.event, $ => $
-			.filter(e => e.authProviderId === this.id && e.clientId === clientId)
+			.filter(e => e.authProviderId === this.id && e.clientId === _clientId)
 			.map(e => e.tokens)
 		);
 		this._tokenStore = this._disposable.add(new TokenStore(
@@ -311,6 +320,10 @@ export class DynamicAuthProvider implements vscode.AuthenticationProvider {
 		}];
 	}
 
+	get clientId(): string {
+		return this._clientId;
+	}
+
 	async getSessions(scopes: readonly string[] | undefined, _options: vscode.AuthenticationProviderSessionOptions): Promise<vscode.AuthenticationSession[]> {
 		this._logger.info(`Getting sessions for scopes: ${scopes?.join(' ') ?? 'all'}`);
 		if (!scopes) {
@@ -455,7 +468,7 @@ export class DynamicAuthProvider implements vscode.AuthenticationProvider {
 
 		// Prepare the authorization request URL
 		const authorizationUrl = new URL(this._serverMetadata.authorization_endpoint!);
-		authorizationUrl.searchParams.append('client_id', this.clientId);
+		authorizationUrl.searchParams.append('client_id', this._clientId);
 		authorizationUrl.searchParams.append('response_type', 'code');
 		authorizationUrl.searchParams.append('state', state.toString());
 		authorizationUrl.searchParams.append('code_challenge', codeChallenge);
@@ -546,7 +559,7 @@ export class DynamicAuthProvider implements vscode.AuthenticationProvider {
 		}
 
 		const tokenRequest = new URLSearchParams();
-		tokenRequest.append('client_id', this.clientId);
+		tokenRequest.append('client_id', this._clientId);
 		tokenRequest.append('grant_type', 'authorization_code');
 		tokenRequest.append('code', code);
 		tokenRequest.append('redirect_uri', redirectUri);
@@ -569,6 +582,10 @@ export class DynamicAuthProvider implements vscode.AuthenticationProvider {
 		const result = await response.json();
 		if (isAuthorizationTokenResponse(result)) {
 			return result;
+		} else if (isAuthorizationErrorResponse(result) && result.error === AuthorizationErrorType.InvalidClient) {
+			this._logger.warn(`Client ID (${this._clientId}) was invalid, generated a new one.`);
+			await this._generateNewClientId();
+			throw new Error(`Client ID was invalid, generated a new one. Please try again.`);
 		}
 		throw new Error(`Invalid authorization token response: ${JSON.stringify(result)}`);
 	}
@@ -579,7 +596,7 @@ export class DynamicAuthProvider implements vscode.AuthenticationProvider {
 		}
 
 		const tokenRequest = new URLSearchParams();
-		tokenRequest.append('client_id', this.clientId);
+		tokenRequest.append('client_id', this._clientId);
 		tokenRequest.append('grant_type', 'refresh_token');
 		tokenRequest.append('refresh_token', refreshToken);
 
@@ -592,20 +609,30 @@ export class DynamicAuthProvider implements vscode.AuthenticationProvider {
 			body: tokenRequest.toString()
 		});
 
-		if (!response.ok) {
-			const text = await response.text();
-			throw new Error(`Token exchange failed: ${response.status} ${response.statusText} - ${text}`);
-		}
-
 		const result = await response.json();
 		if (isAuthorizationTokenResponse(result)) {
 			return {
 				...result,
 				created_at: Date.now(),
 			};
+		} else if (isAuthorizationErrorResponse(result) && result.error === AuthorizationErrorType.InvalidClient) {
+			this._logger.warn(`Client ID (${this._clientId}) was invalid, generated a new one.`);
+			await this._generateNewClientId();
+			throw new Error(`Client ID was invalid, generated a new one. Please try again.`);
 		}
 		throw new Error(`Invalid authorization token response: ${JSON.stringify(result)}`);
 	}
+
+	protected async _generateNewClientId(): Promise<void> {
+		try {
+			const registration = await fetchDynamicRegistration(this._serverMetadata, this._initData.environment.appName, this._resourceMetadata?.scopes_supported);
+			this._clientId = registration.client_id;
+			this._onDidChangeClientId.fire();
+		} catch (err) {
+			this._logger.error(`Failed to fetch new client ID: ${err}`);
+			throw new Error(`Failed to fetch new client ID: ${err}`);
+		}
+	}
 }
 
 type IAuthorizationToken = IAuthorizationTokenResponse & {

src/vs/workbench/api/node/extHostAuthentication.ts

@@ -13,7 +13,7 @@ import { IExtHostWindow } from '../common/extHostWindow.js';
 import { IExtHostUrlsService } from '../common/extHostUrls.js';
 import { ILoggerService, ILogService } from '../../../platform/log/common/log.js';
 import { MainThreadAuthenticationShape } from '../common/extHost.protocol.js';
-import { IAuthorizationServerMetadata, IAuthorizationProtectedResourceMetadata, IAuthorizationTokenResponse, IAuthorizationDeviceResponse, isAuthorizationDeviceResponse, isAuthorizationTokenResponse, IAuthorizationDeviceTokenErrorResponse } from '../../../base/common/oauth.js';
+import { IAuthorizationServerMetadata, IAuthorizationProtectedResourceMetadata, IAuthorizationTokenResponse, IAuthorizationDeviceResponse, isAuthorizationDeviceResponse, isAuthorizationTokenResponse, IAuthorizationDeviceTokenErrorResponse, AuthorizationErrorType, AuthorizationDeviceCodeErrorType } from '../../../base/common/oauth.js';
 import { Emitter } from '../../../base/common/event.js';
 import { raceCancellationError } from '../../../base/common/async.js';
 import { IExtHostProgress } from '../common/extHostProgress.js';
@@ -88,7 +88,7 @@ export class NodeDynamicAuthProvider extends DynamicAuthProvider {
 
 		// Prepare the authorization request URL
 		const authorizationUrl = new URL(this._serverMetadata.authorization_endpoint!);
-		authorizationUrl.searchParams.append('client_id', this.clientId);
+		authorizationUrl.searchParams.append('client_id', this._clientId);
 		authorizationUrl.searchParams.append('response_type', 'code');
 		authorizationUrl.searchParams.append('code_challenge', codeChallenge);
 		authorizationUrl.searchParams.append('code_challenge_method', 'S256');
@@ -173,7 +173,7 @@ export class NodeDynamicAuthProvider extends DynamicAuthProvider {
 
 		// Step 1: Request device and user codes
 		const deviceCodeRequest = new URLSearchParams();
-		deviceCodeRequest.append('client_id', this.clientId);
+		deviceCodeRequest.append('client_id', this._clientId);
 		if (scopeString) {
 			deviceCodeRequest.append('scope', scopeString);
 		}
@@ -243,7 +243,7 @@ export class NodeDynamicAuthProvider extends DynamicAuthProvider {
 			const tokenRequest = new URLSearchParams();
 			tokenRequest.append('grant_type', 'urn:ietf:params:oauth:grant-type:device_code');
 			tokenRequest.append('device_code', deviceCodeData.device_code);
-			tokenRequest.append('client_id', this.clientId);
+			tokenRequest.append('client_id', this._clientId);
 
 			try {
 				const tokenResponse = await fetch(this._serverMetadata.token_endpoint, {
@@ -273,17 +273,21 @@ export class NodeDynamicAuthProvider extends DynamicAuthProvider {
 					}
 
 					// Handle known error cases
-					if (errorData.error === 'authorization_pending') {
+					if (errorData.error === AuthorizationDeviceCodeErrorType.AuthorizationPending) {
 						// User hasn't completed authorization yet, continue polling
 						continue;
-					} else if (errorData.error === 'slow_down') {
+					} else if (errorData.error === AuthorizationDeviceCodeErrorType.SlowDown) {
 						// Server is asking us to slow down
 						await new Promise(resolve => setTimeout(resolve, pollInterval));
 						continue;
-					} else if (errorData.error === 'expired_token') {
+					} else if (errorData.error === AuthorizationDeviceCodeErrorType.ExpiredToken) {
 						throw new Error('Device code expired. Please try again.');
-					} else if (errorData.error === 'access_denied') {
+					} else if (errorData.error === AuthorizationDeviceCodeErrorType.AccessDenied) {
 						throw new CancellationError();
+					} else if (errorData.error === AuthorizationErrorType.InvalidClient) {
+						this._logger.warn(`Client ID (${this._clientId}) was invalid, generated a new one.`);
+						await this._generateNewClientId();
+						throw new Error(`Client ID was invalid, generated a new one. Please try again.`);
 					} else {
 						throw new Error(`Token request failed: ${errorData.error_description || errorData.error || 'Unknown error'}`);
 					}
@@ -292,9 +296,7 @@ export class NodeDynamicAuthProvider extends DynamicAuthProvider {
 				if (isCancellationError(error)) {
 					throw error;
 				}
-				this._logger.error(`Error polling for token: ${error}`);
-				// Continue polling on network errors
-				continue;
+				throw new Error(`Error polling for token: ${error}`);
 			}
 		}