Add client ID fallback for MCP OAuth when Dynamic Client Registration fails (microsoft#255633)

* Initial plan

* Add client ID fallback functionality for MCP OAuth when DCR fails

Co-authored-by: TylerLeonhardt <[email protected]>

* Add client secret support for MCP OAuth when DCR fails

Co-authored-by: TylerLeonhardt <[email protected]>

* Merge client ID and client secret prompts into single $promptForClientDetails method

Co-authored-by: TylerLeonhardt <[email protected]>

* Add persistent client secret storage for MCP OAuth authentication

Co-authored-by: TylerLeonhardt <[email protected]>

* Consolidate client credentials storage in SecretStorage

Co-authored-by: TylerLeonhardt <[email protected]>

* Consolidate getClientId and getClientSecret into single getClientDetails method

Co-authored-by: TylerLeonhardt <[email protected]>

* Add modal dialog and improve UX for client registration prompts

- Add modal dialog before prompting for client details to explain DCR not supported
- Include redirect URI information in modal dialog (http://localhost:*, https://vscode.dev/redirect)
- Use shared title "Add Client Registration Details" across multi-step quick picks
- Remove "please" from prompts to keep them concise
- Remove unnecessary validateInput function for client secret
- Improve overall user experience flow

Co-authored-by: TylerLeonhardt <[email protected]>

* misc fixes

* polish

* No longer need to fill in urls

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>

Author: TylerLeonhardt

src/vs/base/common/oauth.ts

@@ -258,12 +258,6 @@ export interface IAuthorizationServerMetadata {
 	code_challenge_methods_supported?: string[];
 }
 
-export interface IRequiredAuthorizationServerMetadata extends IAuthorizationServerMetadata {
-	authorization_endpoint: string;
-	token_endpoint: string;
-	registration_endpoint: string;
-}
-
 /**
  * Response from the dynamic client registration endpoint.
  */
@@ -697,7 +691,7 @@ export function isAuthorizationRegistrationErrorResponse(obj: unknown): obj is I
 
 //#endregion
 
-export function getDefaultMetadataForUrl(authorizationServer: URL): IRequiredAuthorizationServerMetadata & IRequiredAuthorizationServerMetadata {
+export function getDefaultMetadataForUrl(authorizationServer: URL): IAuthorizationServerMetadata {
 	return {
 		issuer: authorizationServer.toString(),
 		authorization_endpoint: new URL('/authorize', authorizationServer).toString(),
@@ -709,16 +703,6 @@ export function getDefaultMetadataForUrl(authorizationServer: URL): IRequiredAut
 	};
 }
 
-export function getMetadataWithDefaultValues(metadata: IAuthorizationServerMetadata): IAuthorizationServerMetadata & IRequiredAuthorizationServerMetadata {
-	const issuer = new URL(metadata.issuer);
-	return {
-		...metadata,
-		authorization_endpoint: metadata.authorization_endpoint ?? new URL('/authorize', issuer).toString(),
-		token_endpoint: metadata.token_endpoint ?? new URL('/token', issuer).toString(),
-		registration_endpoint: metadata.registration_endpoint ?? new URL('/register', issuer).toString(),
-	};
-}
-
 /**
  * The grant types that we support
  */

src/vs/base/test/common/oauth.test.ts

@@ -8,7 +8,6 @@ import * as sinon from 'sinon';
 import {
 	getClaimsFromJWT,
 	getDefaultMetadataForUrl,
-	getMetadataWithDefaultValues,
 	getResourceServerBaseUrlFromDiscoveryUrl,
 	isAuthorizationAuthorizeResponse,
 	isAuthorizationDeviceResponse,
@@ -189,37 +188,6 @@ suite('OAuth', () => {
 			assert.strictEqual(metadata.registration_endpoint, 'https://auth.example.com/register');
 			assert.deepStrictEqual(metadata.response_types_supported, ['code', 'id_token', 'id_token token']);
 		});
-
-		test('getMetadataWithDefaultValues should fill in missing endpoints', () => {
-			const minimal: IAuthorizationServerMetadata = {
-				issuer: 'https://auth.example.com',
-				response_types_supported: ['code']
-			};
-
-			const complete = getMetadataWithDefaultValues(minimal);
-
-			assert.strictEqual(complete.issuer, 'https://auth.example.com');
-			assert.strictEqual(complete.authorization_endpoint, 'https://auth.example.com/authorize');
-			assert.strictEqual(complete.token_endpoint, 'https://auth.example.com/token');
-			assert.strictEqual(complete.registration_endpoint, 'https://auth.example.com/register');
-			assert.deepStrictEqual(complete.response_types_supported, ['code']);
-		});
-
-		test('getMetadataWithDefaultValues should preserve custom endpoints', () => {
-			const custom: IAuthorizationServerMetadata = {
-				issuer: 'https://auth.example.com',
-				authorization_endpoint: 'https://auth.example.com/custom-authorize',
-				token_endpoint: 'https://auth.example.com/custom-token',
-				registration_endpoint: 'https://auth.example.com/custom-register',
-				response_types_supported: ['code', 'token']
-			};
-
-			const complete = getMetadataWithDefaultValues(custom);
-
-			assert.strictEqual(complete.authorization_endpoint, 'https://auth.example.com/custom-authorize');
-			assert.strictEqual(complete.token_endpoint, 'https://auth.example.com/custom-token');
-			assert.strictEqual(complete.registration_endpoint, 'https://auth.example.com/custom-register');
-		});
 	});
 
 	suite('Parsing Functions', () => {
@@ -756,4 +724,51 @@ suite('OAuth', () => {
 			assert.strictEqual(result, 'https://mcp.example.com/');
 		});
 	});
+
+	suite('Client ID Fallback Scenarios', () => {
+		let sandbox: sinon.SinonSandbox;
+		let fetchStub: sinon.SinonStub;
+
+		setup(() => {
+			sandbox = sinon.createSandbox();
+			fetchStub = sandbox.stub(globalThis, 'fetch');
+		});
+
+		teardown(() => {
+			sandbox.restore();
+		});
+
+		test('fetchDynamicRegistration should throw specific error for missing registration endpoint', async () => {
+			const serverMetadata: IAuthorizationServerMetadata = {
+				issuer: 'https://auth.example.com',
+				response_types_supported: ['code']
+				// registration_endpoint is missing
+			};
+
+			await assert.rejects(
+				async () => await fetchDynamicRegistration(serverMetadata, 'Test Client'),
+				{
+					message: 'Server does not support dynamic registration'
+				}
+			);
+		});
+
+		test('fetchDynamicRegistration should throw specific error for DCR failure', async () => {
+			fetchStub.resolves({
+				ok: false,
+				text: async () => 'DCR not supported'
+			} as Response);
+
+			const serverMetadata: IAuthorizationServerMetadata = {
+				issuer: 'https://auth.example.com',
+				registration_endpoint: 'https://auth.example.com/register',
+				response_types_supported: ['code']
+			};
+
+			await assert.rejects(
+				async () => await fetchDynamicRegistration(serverMetadata, 'Test Client'),
+				/Registration to https:\/\/auth\.example\.com\/register failed: DCR not supported/
+			);
+		});
+	});
 });

src/vs/workbench/api/browser/mainThreadAuthentication.ts

@@ -27,6 +27,7 @@ import { DeferredPromise, raceTimeout } from '../../../base/common/async.js';
 import { IAuthorizationTokenResponse } from '../../../base/common/oauth.js';
 import { IDynamicAuthenticationProviderStorageService } from '../../services/authentication/common/dynamicAuthenticationProviderStorage.js';
 import { IClipboardService } from '../../../platform/clipboard/common/clipboardService.js';
+import { IQuickInputService } from '../../../platform/quickinput/common/quickInput.js';
 
 export interface AuthenticationInteractiveOptions {
 	detail?: string;
@@ -94,7 +95,8 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 		@ILogService private readonly logService: ILogService,
 		@IURLService private readonly urlService: IURLService,
 		@IDynamicAuthenticationProviderStorageService private readonly dynamicAuthProviderStorageService: IDynamicAuthenticationProviderStorageService,
-		@IClipboardService private readonly clipboardService: IClipboardService
+		@IClipboardService private readonly clipboardService: IClipboardService,
+		@IQuickInputService private readonly quickInputService: IQuickInputService
 	) {
 		super();
 		this._proxy = extHostContext.getProxy(ExtHostContext.ExtHostAuthentication);
@@ -121,7 +123,9 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 			create: async (authorizationServer, serverMetadata, resource) => {
 				// Auth Provider Id is a combination of the authorization server and the resource, if provided.
 				const authProviderId = resource ? `${authorizationServer.toString(true)} ${resource.resource}` : authorizationServer.toString(true);
-				const clientId = this.dynamicAuthProviderStorageService.getClientId(authProviderId);
+				const clientDetails = await this.dynamicAuthProviderStorageService.getClientRegistration(authProviderId);
+				const clientId = clientDetails?.clientId;
+				const clientSecret = clientDetails?.clientSecret;
 				let initialTokens: (IAuthorizationTokenResponse & { created_at: number })[] | undefined = undefined;
 				if (clientId) {
 					initialTokens = await this.dynamicAuthProviderStorageService.getSessionsForDynamicAuthProvider(authProviderId, clientId);
@@ -131,6 +135,7 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 					serverMetadata,
 					resource,
 					clientId,
+					clientSecret,
 					initialTokens
 				);
 			}
@@ -224,25 +229,28 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 		return deferredPromise.p;
 	}
 
-	async $registerDynamicAuthenticationProvider(id: string, label: string, authorizationServer: UriComponents, clientId: string): Promise<void> {
+	async $registerDynamicAuthenticationProvider(id: string, label: string, authorizationServer: UriComponents, clientId: string, clientSecret?: string): Promise<void> {
 		await this.$registerAuthenticationProvider(id, label, true, [authorizationServer]);
-		this.dynamicAuthProviderStorageService.storeClientId(id, URI.revive(authorizationServer).toString(true), clientId, label);
+		await this.dynamicAuthProviderStorageService.storeClientRegistration(id, URI.revive(authorizationServer).toString(true), clientId, clientSecret, label);
 	}
 
 	async $setSessionsForDynamicAuthProvider(authProviderId: string, clientId: string, sessions: (IAuthorizationTokenResponse & { created_at: number })[]): Promise<void> {
 		await this.dynamicAuthProviderStorageService.setSessionsForDynamicAuthProvider(authProviderId, clientId, sessions);
 	}
 
-	async $sendDidChangeDynamicProviderInfo({ providerId, clientId, authorizationServer, label }: Partial<{ providerId: string; clientId: string; authorizationServer: UriComponents; label: string }>): Promise<void> {
+	async $sendDidChangeDynamicProviderInfo({ providerId, clientId, authorizationServer, label, clientSecret }: Partial<{ providerId: string; clientId: string; authorizationServer: UriComponents; label: string; clientSecret: string }>): Promise<void> {
 		this.logService.info(`Client ID for authentication provider ${providerId} changed to ${clientId}`);
 		const existing = this.dynamicAuthProviderStorageService.getInteractedProviders().find(p => p.providerId === providerId);
 		if (!existing) {
 			throw new Error(`Dynamic authentication provider ${providerId} not found. Has it been registered?`);
 		}
-		this.dynamicAuthProviderStorageService.storeClientId(
+
+		// Store client credentials together
+		await this.dynamicAuthProviderStorageService.storeClientRegistration(
 			providerId || existing.providerId,
 			authorizationServer ? URI.revive(authorizationServer).toString(true) : existing.authorizationServer,
 			clientId || existing.clientId,
+			clientSecret,
 			label || existing.label
 		);
 	}
@@ -536,4 +544,59 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 		}
 		return false;
 	}
+
+	async $promptForClientRegistration(authorizationServerUrl: string): Promise<{ clientId: string; clientSecret?: string } | undefined> {
+		// Show modal dialog first to explain the situation and get user consent
+		const result = await this.dialogService.prompt({
+			type: Severity.Info,
+			message: nls.localize('dcrNotSupported', "Dynamic Client Registration not supported"),
+			detail: nls.localize('dcrNotSupportedDetail', "The authorization server '{0}' does not support automatic client registration. Do you want to proceed by manually providing a client registration (client ID)?\n\nNote: When registering your OAuth application, make sure to include these redirect URIs:\nhttp://127.0.0.1:33418\nhttps://vscode.dev/redirect", authorizationServerUrl),
+			buttons: [
+				{
+					label: nls.localize('provideClientDetails', "Proceed"),
+					run: () => true
+				}
+			],
+			cancelButton: {
+				label: nls.localize('cancel', "Cancel"),
+				run: () => false
+			}
+		});
+
+		if (!result) {
+			return undefined;
+		}
+
+		const sharedTitle = nls.localize('addClientRegistrationDetails', "Add Client Registration Details");
+
+		const clientId = await this.quickInputService.input({
+			title: sharedTitle,
+			prompt: nls.localize('clientIdPrompt', "Enter an existing client ID that has been registered with the following redirect URIs: http://127.0.0.1:33418, https://vscode.dev/redirect"),
+			placeHolder: nls.localize('clientIdPlaceholder', "OAuth client ID (azye39d...)"),
+			ignoreFocusLost: true,
+			validateInput: async (value: string) => {
+				if (!value || value.trim().length === 0) {
+					return nls.localize('clientIdRequired', "Client ID is required");
+				}
+				return undefined;
+			}
+		});
+
+		if (!clientId || clientId.trim().length === 0) {
+			return undefined;
+		}
+
+		const clientSecret = await this.quickInputService.input({
+			title: sharedTitle,
+			prompt: nls.localize('clientSecretPrompt', "(optional) Enter an existing client secret associated with the client id '{0}' or leave this field blank", clientId),
+			placeHolder: nls.localize('clientSecretPlaceholder', "OAuth client secret (wer32o50f...) or leave it blank"),
+			password: true,
+			ignoreFocusLost: true
+		});
+
+		return {
+			clientId: clientId.trim(),
+			clientSecret: clientSecret?.trim() || undefined
+		};
+	}
 }

src/vs/workbench/api/common/extHost.protocol.ts

@@ -193,9 +193,10 @@ export interface MainThreadAuthenticationShape extends IDisposable {
 	$waitForUriHandler(expectedUri: UriComponents): Promise<UriComponents>;
 	$showContinueNotification(message: string): Promise<boolean>;
 	$showDeviceCodeModal(userCode: string, verificationUri: string): Promise<boolean>;
-	$registerDynamicAuthenticationProvider(id: string, label: string, authorizationServer: UriComponents, clientId: string): Promise<void>;
+	$promptForClientRegistration(authorizationServerUrl: string): Promise<{ clientId: string; clientSecret?: string } | undefined>;
+	$registerDynamicAuthenticationProvider(id: string, label: string, authorizationServer: UriComponents, clientId: string, clientSecret?: string): Promise<void>;
 	$setSessionsForDynamicAuthProvider(authProviderId: string, clientId: string, sessions: (IAuthorizationTokenResponse & { created_at: number })[]): Promise<void>;
-	$sendDidChangeDynamicProviderInfo({ providerId, clientId, authorizationServer, label }: { providerId: string; clientId?: string; authorizationServer?: UriComponents; label?: string }): Promise<void>;
+	$sendDidChangeDynamicProviderInfo({ providerId, clientId, authorizationServer, label, clientSecret }: { providerId: string; clientId?: string; authorizationServer?: UriComponents; label?: string; clientSecret?: string }): Promise<void>;
 }
 
 export interface MainThreadSecretStateShape extends IDisposable {
@@ -1988,7 +1989,7 @@ export interface ExtHostAuthenticationShape {
 	$removeSession(id: string, sessionId: string): Promise<void>;
 	$onDidChangeAuthenticationSessions(id: string, label: string, extensionIdFilter?: string[]): Promise<void>;
 	$onDidUnregisterAuthenticationProvider(id: string): Promise<void>;
-	$registerDynamicAuthProvider(authorizationServer: UriComponents, serverMetadata: IAuthorizationServerMetadata, resource?: IAuthorizationProtectedResourceMetadata, clientId?: string, initialTokens?: (IAuthorizationTokenResponse & { created_at: number })[]): Promise<string>;
+	$registerDynamicAuthProvider(authorizationServer: UriComponents, serverMetadata: IAuthorizationServerMetadata, resource?: IAuthorizationProtectedResourceMetadata, clientId?: string, clientSecret?: string, initialTokens?: (IAuthorizationTokenResponse & { created_at: number })[]): Promise<string>;
 	$onDidChangeDynamicAuthProviderTokens(authProviderId: string, clientId: string, tokens?: (IAuthorizationTokenResponse & { created_at: number })[]): Promise<void>;
 }