Add loopback & device code flows (microsoft#250015)

Author: TylerLeonhardt

src/vs/base/common/oauth.ts

@@ -97,6 +97,11 @@ export interface IAuthorizationServerMetadata {
 	 */
 	token_endpoint?: string;
 
+	/**
+	 * OPTIONAL. URL of the authorization server's device code endpoint.
+	 */
+	device_authorization_endpoint?: string;
+
 	/**
 	 * OPTIONAL. URL of the authorization server's JWK Set document containing signing keys.
 	 */
@@ -350,6 +355,70 @@ export interface IAuthorizationTokenErrorResponse {
 	error_uri?: string;
 }
 
+/**
+ * Response from the device authorization endpoint as per RFC 8628 section 3.2.
+ */
+export interface IAuthorizationDeviceResponse {
+	/**
+	 * REQUIRED. The device verification code.
+	 */
+	device_code: string;
+
+	/**
+	 * REQUIRED. The end-user verification code.
+	 */
+	user_code: string;
+
+	/**
+	 * REQUIRED. The end-user verification URI on the authorization server.
+	 */
+	verification_uri: string;
+
+	/**
+	 * OPTIONAL. A verification URI that includes the user_code, designed for non-textual transmission.
+	 */
+	verification_uri_complete?: string;
+
+	/**
+	 * REQUIRED. The lifetime in seconds of the device_code and user_code.
+	 */
+	expires_in: number;
+
+	/**
+	 * OPTIONAL. The minimum amount of time in seconds that the client should wait between polling requests.
+	 * If no value is provided, clients must use 5 as the default.
+	 */
+	interval?: number;
+}
+
+/**
+ * Error response from the token endpoint when using device authorization grant.
+ * As defined in RFC 8628 section 3.5.
+ */
+export interface IAuthorizationDeviceTokenErrorResponse {
+	/**
+	 * REQUIRED. Error code as specified in OAuth 2.0 or in RFC 8628 section 3.5.
+	 * Standard OAuth 2.0 error codes plus:
+	 * - "authorization_pending": The authorization request is still pending as the end user hasn't completed the user interaction steps
+	 * - "slow_down": A variant of "authorization_pending", polling should continue but interval must be increased by 5 seconds
+	 * - "access_denied": The authorization request was denied
+	 * - "expired_token": The "device_code" has expired and the device authorization session has concluded
+	 */
+	error: 'invalid_request' | 'invalid_client' | 'invalid_grant' | 'unauthorized_client' |
+	'unsupported_grant_type' | 'invalid_scope' | 'authorization_pending' |
+	'slow_down' | 'access_denied' | 'expired_token' | string;
+
+	/**
+	 * OPTIONAL. Human-readable description of the error.
+	 */
+	error_description?: string;
+
+	/**
+	 * OPTIONAL. URI to a human-readable web page with more information about the error.
+	 */
+	error_uri?: string;
+}
+
 export interface IAuthorizationJWTClaims {
 	/**
 	 * REQUIRED. JWT ID. Unique identifier for the token.
@@ -537,6 +606,22 @@ export function isDynamicClientRegistrationResponse(obj: unknown): obj is IAutho
 	return response.client_id !== undefined && response.client_name !== undefined;
 }
 
+export function isAuthorizationDeviceResponse(obj: unknown): obj is IAuthorizationDeviceResponse {
+	if (typeof obj !== 'object' || obj === null) {
+		return false;
+	}
+	const response = obj as IAuthorizationDeviceResponse;
+	return response.device_code !== undefined && response.user_code !== undefined && response.verification_uri !== undefined && response.expires_in !== undefined;
+}
+
+export function isAuthorizationDeviceTokenErrorResponse(obj: unknown): obj is IAuthorizationDeviceTokenErrorResponse {
+	if (typeof obj !== 'object' || obj === null) {
+		return false;
+	}
+	const response = obj as IAuthorizationDeviceTokenErrorResponse;
+	return response.error !== undefined && response.error_description !== undefined;
+}
+
 //#endregion
 
 export function getDefaultMetadataForUrl(issuer: URL): IRequiredAuthorizationServerMetadata & IRequiredAuthorizationServerMetadata {
@@ -561,7 +646,15 @@ export function getMetadataWithDefaultValues(metadata: IAuthorizationServerMetad
 	};
 }
 
-export async function fetchDynamicRegistration(registrationEndpoint: string, clientName: string, additionalRedirectUris: string[] = []): Promise<IAuthorizationDynamicClientRegistrationResponse> {
+/**
+ * Default port for the authorization flow. We try to use this port so that
+ * the redirect URI does not change when running on localhost. This is useful
+ * for servers that only allow exact matches on the redirect URI. The spec
+ * says that the port should not matter, but some servers do not follow
+ * the spec and require an exact match.
+ */
+export const DEFAULT_AUTH_FLOW_PORT = 33418;
+export async function fetchDynamicRegistration(registrationEndpoint: string, clientName: string): Promise<IAuthorizationDynamicClientRegistrationResponse> {
 	const response = await fetch(registrationEndpoint, {
 		method: 'POST',
 		headers: {
@@ -570,12 +663,19 @@ export async function fetchDynamicRegistration(registrationEndpoint: string, cli
 		body: JSON.stringify({
 			client_name: clientName,
 			client_uri: 'https://code.visualstudio.com',
-			grant_types: ['authorization_code', 'refresh_token'],
+			grant_types: ['authorization_code', 'refresh_token', 'urn:ietf:params:oauth:grant-type:device_code'],
 			response_types: ['code'],
 			redirect_uris: [
 				'https://insiders.vscode.dev/redirect',
 				'https://vscode.dev/redirect',
-				...additionalRedirectUris
+				'http://localhost/',
+				'http://127.0.0.1/',
+				// Added these for any server that might do
+				// only exact match on the redirect URI even
+				// though the spec says it should not care
+				// about the port.
+				`http://localhost:${DEFAULT_AUTH_FLOW_PORT}/`,
+				`http://127.0.0.1:${DEFAULT_AUTH_FLOW_PORT}/`
 			],
 			token_endpoint_auth_method: 'none'
 		})

src/vs/base/test/common/oauth.test.ts

@@ -10,6 +10,8 @@ import {
 	getDefaultMetadataForUrl,
 	getMetadataWithDefaultValues,
 	isAuthorizationAuthorizeResponse,
+	isAuthorizationDeviceResponse,
+	isAuthorizationDeviceTokenErrorResponse,
 	isAuthorizationDynamicClientRegistrationResponse,
 	isAuthorizationProtectedResourceMetadata,
 	isAuthorizationServerMetadata,
@@ -18,7 +20,8 @@ import {
 	parseWWWAuthenticateHeader,
 	fetchDynamicRegistration,
 	IAuthorizationJWTClaims,
-	IAuthorizationServerMetadata
+	IAuthorizationServerMetadata,
+	DEFAULT_AUTH_FLOW_PORT
 } from '../../common/oauth.js';
 import { ensureNoDisposablesAreLeakedInTestSuite } from './utils.js';
 import { encodeBase64, VSBuffer } from '../../common/buffer.js';
@@ -115,6 +118,81 @@ suite('OAuth', () => {
 			assert.strictEqual(isDynamicClientRegistrationResponse({ client_name: 'missing-id' }), false);
 			assert.strictEqual(isDynamicClientRegistrationResponse('not an object'), false);
 		});
+
+		test('isAuthorizationDeviceResponse should correctly identify device authorization response', () => {
+			// Valid response
+			assert.strictEqual(isAuthorizationDeviceResponse({
+				device_code: 'device-code-123',
+				user_code: 'ABCD-EFGH',
+				verification_uri: 'https://example.com/verify',
+				expires_in: 1800
+			}), true);
+
+			// Valid response with optional fields
+			assert.strictEqual(isAuthorizationDeviceResponse({
+				device_code: 'device-code-123',
+				user_code: 'ABCD-EFGH',
+				verification_uri: 'https://example.com/verify',
+				verification_uri_complete: 'https://example.com/verify?user_code=ABCD-EFGH',
+				expires_in: 1800,
+				interval: 5
+			}), true);
+
+			// Invalid cases
+			assert.strictEqual(isAuthorizationDeviceResponse(null), false);
+			assert.strictEqual(isAuthorizationDeviceResponse(undefined), false);
+			assert.strictEqual(isAuthorizationDeviceResponse({}), false);
+			assert.strictEqual(isAuthorizationDeviceResponse({ device_code: 'missing-others' }), false);
+			assert.strictEqual(isAuthorizationDeviceResponse({ user_code: 'missing-others' }), false);
+			assert.strictEqual(isAuthorizationDeviceResponse({ verification_uri: 'missing-others' }), false);
+			assert.strictEqual(isAuthorizationDeviceResponse({ expires_in: 1800 }), false);
+			assert.strictEqual(isAuthorizationDeviceResponse({
+				device_code: 'device-code-123',
+				user_code: 'ABCD-EFGH',
+				verification_uri: 'https://example.com/verify'
+				// Missing expires_in
+			}), false);
+			assert.strictEqual(isAuthorizationDeviceResponse('not an object'), false);
+		});
+
+		test('isAuthorizationDeviceTokenErrorResponse should correctly identify device token error response', () => {
+			// Valid error response
+			assert.strictEqual(isAuthorizationDeviceTokenErrorResponse({
+				error: 'authorization_pending',
+				error_description: 'The authorization request is still pending'
+			}), true);
+
+			// Valid error response with different error codes
+			assert.strictEqual(isAuthorizationDeviceTokenErrorResponse({
+				error: 'slow_down',
+				error_description: 'Polling too fast'
+			}), true);
+
+			assert.strictEqual(isAuthorizationDeviceTokenErrorResponse({
+				error: 'access_denied',
+				error_description: 'The user denied the request'
+			}), true);
+
+			assert.strictEqual(isAuthorizationDeviceTokenErrorResponse({
+				error: 'expired_token',
+				error_description: 'The device code has expired'
+			}), true);
+
+			// Valid response with optional error_uri
+			assert.strictEqual(isAuthorizationDeviceTokenErrorResponse({
+				error: 'invalid_request',
+				error_description: 'The request is missing a required parameter',
+				error_uri: 'https://example.com/error'
+			}), true);
+
+			// Invalid cases
+			assert.strictEqual(isAuthorizationDeviceTokenErrorResponse(null), false);
+			assert.strictEqual(isAuthorizationDeviceTokenErrorResponse(undefined), false);
+			assert.strictEqual(isAuthorizationDeviceTokenErrorResponse({}), false);
+			assert.strictEqual(isAuthorizationDeviceTokenErrorResponse({ error: 'missing-description' }), false);
+			assert.strictEqual(isAuthorizationDeviceTokenErrorResponse({ error_description: 'missing-error' }), false);
+			assert.strictEqual(isAuthorizationDeviceTokenErrorResponse('not an object'), false);
+		});
 	});
 
 	suite('Utility Functions', () => {
@@ -257,8 +335,7 @@ suite('OAuth', () => {
 
 			const result = await fetchDynamicRegistration(
 				'https://auth.example.com/register',
-				'Test Client',
-				['https://custom-redirect.com/callback']
+				'Test Client'
 			);
 
 			// Verify fetch was called correctly
@@ -272,12 +349,15 @@ suite('OAuth', () => {
 			const requestBody = JSON.parse(options.body as string);
 			assert.strictEqual(requestBody.client_name, 'Test Client');
 			assert.strictEqual(requestBody.client_uri, 'https://code.visualstudio.com');
-			assert.deepStrictEqual(requestBody.grant_types, ['authorization_code', 'refresh_token']);
+			assert.deepStrictEqual(requestBody.grant_types, ['authorization_code', 'refresh_token', 'urn:ietf:params:oauth:grant-type:device_code']);
 			assert.deepStrictEqual(requestBody.response_types, ['code']);
 			assert.deepStrictEqual(requestBody.redirect_uris, [
 				'https://insiders.vscode.dev/redirect',
 				'https://vscode.dev/redirect',
-				'https://custom-redirect.com/callback'
+				'http://localhost/',
+				'http://127.0.0.1/',
+				`http://localhost:${DEFAULT_AUTH_FLOW_PORT}/`,
+				`http://127.0.0.1:${DEFAULT_AUTH_FLOW_PORT}/`
 			]);
 
 			// Verify response is processed correctly

src/vs/workbench/api/browser/mainThreadAuthentication.ts

@@ -26,6 +26,7 @@ import { IURLService } from '../../../platform/url/common/url.js';
 import { DeferredPromise, raceTimeout } from '../../../base/common/async.js';
 import { IAuthorizationTokenResponse } from '../../../base/common/oauth.js';
 import { IDynamicAuthenticationProviderStorageService } from '../../services/authentication/common/dynamicAuthenticationProviderStorage.js';
+import { IClipboardService } from '../../../platform/clipboard/common/clipboardService.js';
 
 export interface AuthenticationInteractiveOptions {
 	detail?: string;
@@ -94,6 +95,7 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 		@ILogService private readonly logService: ILogService,
 		@IURLService private readonly urlService: IURLService,
 		@IDynamicAuthenticationProviderStorageService private readonly dynamicAuthProviderStorageService: IDynamicAuthenticationProviderStorageService,
+		@IClipboardService private readonly clipboardService: IClipboardService
 	) {
 		super();
 		this._proxy = extHostContext.getProxy(ExtHostContext.ExtHostAuthentication);
@@ -188,6 +190,28 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 		return await deferredPromise.p;
 	}
 
+	$showContinueNotification(message: string): Promise<boolean> {
+		const yes = nls.localize('yes', "Yes");
+		const no = nls.localize('no', "No");
+		const deferredPromise = new DeferredPromise<boolean>();
+		let result = false;
+		const handle = this.notificationService.prompt(
+			Severity.Warning,
+			message,
+			[{
+				label: yes,
+				run: () => result = true
+			}, {
+				label: no,
+				run: () => result = false
+			}]);
+		const disposable = handle.onDidClose(() => {
+			deferredPromise.complete(result);
+			disposable.dispose();
+		});
+		return deferredPromise.p;
+	}
+
 	async $registerDynamicAuthenticationProvider(id: string, label: string, issuer: UriComponents, clientId: string): Promise<void> {
 		await this.$registerAuthenticationProvider(id, label, false, [issuer]);
 		this.dynamicAuthProviderStorageService.storeClientId(id, clientId, label, URI.revive(issuer).toString());
@@ -459,4 +483,30 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 	}
 
 	//#endregion
+
+	async $showDeviceCodeModal(userCode: string, verificationUri: string): Promise<boolean> {
+		const { result } = await this.dialogService.prompt({
+			type: Severity.Info,
+			message: nls.localize('deviceCodeTitle', "Device Code Authentication"),
+			detail: nls.localize('deviceCodeDetail', "Your code: {0}\n\nTo complete authentication, navigate to {1} and enter the code above.", userCode, verificationUri),
+			buttons: [
+				{
+					label: nls.localize('copyAndContinue', "Copy & Continue"),
+					run: () => true
+				}
+			],
+			cancelButton: true
+		});
+
+		if (result) {
+			// Open verification URI
+			try {
+				await this.clipboardService.writeText(userCode);
+				return await this.openerService.open(URI.parse(verificationUri));
+			} catch (error) {
+				this.notificationService.error(nls.localize('failedToOpenUri', "Failed to open {0}", verificationUri));
+			}
+		}
+		return false;
+	}
 }

src/vs/workbench/api/common/extHost.api.impl.ts

@@ -78,7 +78,7 @@ import { ExtHostNotebookKernels } from './extHostNotebookKernels.js';
 import { ExtHostNotebookRenderers } from './extHostNotebookRenderers.js';
 import { IExtHostOutputService } from './extHostOutput.js';
 import { ExtHostProfileContentHandlers } from './extHostProfileContentHandler.js';
-import { ExtHostProgress } from './extHostProgress.js';
+import { IExtHostProgress } from './extHostProgress.js';
 import { ExtHostQuickDiff } from './extHostQuickDiff.js';
 import { createExtHostQuickOpen } from './extHostQuickOpen.js';
 import { IExtHostRpcService } from './extHostRpcService.js';
@@ -147,6 +147,7 @@ export function createApiFactoryAndRegisterActors(accessor: ServicesAccessor): I
 	const extHostSecretState = accessor.get(IExtHostSecretState);
 	const extHostEditorTabs = accessor.get(IExtHostEditorTabs);
 	const extHostManagedSockets = accessor.get(IExtHostManagedSockets);
+	const extHostProgress = accessor.get(IExtHostProgress);
 	const extHostAuthentication = accessor.get(IExtHostAuthentication);
 	const extHostLanguageModels = accessor.get(IExtHostLanguageModels);
 	const extHostMcp = accessor.get(IExtHostMpcService);
@@ -165,6 +166,7 @@ export function createApiFactoryAndRegisterActors(accessor: ServicesAccessor): I
 	rpcProtocol.set(ExtHostContext.ExtHostTelemetry, extHostTelemetry);
 	rpcProtocol.set(ExtHostContext.ExtHostEditorTabs, extHostEditorTabs);
 	rpcProtocol.set(ExtHostContext.ExtHostManagedSockets, extHostManagedSockets);
+	rpcProtocol.set(ExtHostContext.ExtHostProgress, extHostProgress);
 	rpcProtocol.set(ExtHostContext.ExtHostAuthentication, extHostAuthentication);
 	rpcProtocol.set(ExtHostContext.ExtHostChatProvider, extHostLanguageModels);
 
@@ -204,7 +206,6 @@ export function createApiFactoryAndRegisterActors(accessor: ServicesAccessor): I
 	const extHostQuickDiff = rpcProtocol.set(ExtHostContext.ExtHostQuickDiff, new ExtHostQuickDiff(rpcProtocol, uriTransformer));
 	const extHostShare = rpcProtocol.set(ExtHostContext.ExtHostShare, new ExtHostShare(rpcProtocol, uriTransformer));
 	const extHostComment = rpcProtocol.set(ExtHostContext.ExtHostComments, createExtHostComments(rpcProtocol, extHostCommands, extHostDocuments));
-	const extHostProgress = rpcProtocol.set(ExtHostContext.ExtHostProgress, new ExtHostProgress(rpcProtocol.getProxy(MainContext.MainThreadProgress)));
 	const extHostLabelService = rpcProtocol.set(ExtHostContext.ExtHostLabelService, new ExtHostLabelService(rpcProtocol));
 	const extHostTheming = rpcProtocol.set(ExtHostContext.ExtHostTheming, new ExtHostTheming(rpcProtocol));
 	const extHostTimeline = rpcProtocol.set(ExtHostContext.ExtHostTimeline, new ExtHostTimeline(rpcProtocol, extHostCommands));