Fix OAuth redirect URI format to align with Microsoft's URL standards (#260446)

* Fix OAuth redirect URI validation by adding trailing slash

This change adds a trailing slash to the redirect URI returned by the
loopbackServer's redirectUri getter to match the expected format for
OAuth client registration.

The issue occurs because Microsoft Entra ID automatically appends
a trailing slash to redirect URIs without a path segment, but VS Code
was returning URLs without the trailing slash, causing validation
failures during OAuth authentication.

Fixes #260425

* Add trailing slashes to OAuth redirect URIs in dynamic registration

Complements the loopbackServer.ts fix by ensuring redirect URIs used in
OAuth dynamic client registration also include trailing slashes for
complete standards compliance with Microsoft's OAuth 2.0 URL format.

Updated redirect URIs:
- http://localhost -> http://localhost/
- http://127.0.0.1 -> http://127.0.0.1/
- http://localhost:{port} -> http://localhost:{port}/
- http://127.0.0.1:{port} -> http://127.0.0.1:{port}/

* Fix OAuth redirect URI test expectations to match implementation

The fetchDynamicRegistration function correctly includes trailing slashes
on redirect URIs per the implementation. This updates the test expectations
to match the actual behavior, fixing the test failure.

The implementation in oauth.ts includes trailing slashes on localhost URIs:
- 'http://localhost/' (with trailing slash)
- 'http://127.0.0.1/' (with trailing slash)
- 'http://localhost:/' (with trailing slash)
- 'http://127.0.0.1:/' (with trailing slash)

This test was expecting URIs without trailing slashes, causing the assertion
to fail. The fix aligns the test with the correct implementation behavior.

---------

Co-authored-by: Gautam <[email protected]>
Co-authored-by: bluedog13 <>

Author: bluedog13

src/vs/base/common/oauth.ts

@@ -736,14 +736,14 @@ export async function fetchDynamicRegistration(serverMetadata: IAuthorizationSer
 			redirect_uris: [
 				'https://insiders.vscode.dev/redirect',
 				'https://vscode.dev/redirect',
-				'http://localhost',
-				'http://127.0.0.1',
+				'http://localhost/',
+				'http://127.0.0.1/',
 				// Added these for any server that might do
 				// only exact match on the redirect URI even
 				// though the spec says it should not care
 				// about the port.
-				`http://localhost:${DEFAULT_AUTH_FLOW_PORT}`,
-				`http://127.0.0.1:${DEFAULT_AUTH_FLOW_PORT}`
+				`http://localhost:${DEFAULT_AUTH_FLOW_PORT}/`,
+				`http://127.0.0.1:${DEFAULT_AUTH_FLOW_PORT}/`
 			],
 			scope: scopes?.join(AUTH_SCOPE_SEPARATOR),
 			token_endpoint_auth_method: 'none',

src/vs/base/test/common/oauth.test.ts

@@ -358,10 +358,10 @@ suite('OAuth', () => {
 			assert.deepStrictEqual(requestBody.redirect_uris, [
 				'https://insiders.vscode.dev/redirect',
 				'https://vscode.dev/redirect',
-				'http://localhost',
-				'http://127.0.0.1',
-				`http://localhost:${DEFAULT_AUTH_FLOW_PORT}`,
-				`http://127.0.0.1:${DEFAULT_AUTH_FLOW_PORT}`
+				'http://localhost/',
+				'http://127.0.0.1/',
+				`http://localhost:${DEFAULT_AUTH_FLOW_PORT}/`,
+				`http://127.0.0.1:${DEFAULT_AUTH_FLOW_PORT}/`
 			]);
 
 			// Verify response is processed correctly

src/vs/workbench/api/node/loopbackServer.ts

@@ -102,7 +102,7 @@ export class LoopbackAuthServer implements ILoopbackServer {
 		if (this._port === undefined) {
 			throw new Error('Server is not started yet');
 		}
-		return `http://127.0.0.1:${this._port}`;
+		return `http://127.0.0.1:${this._port}/`;
 	}
 
 	private _sendPage(res: http.ServerResponse): void {