-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2 token handling #1
Comments
The support for OpenID is more or less the reason why I don't use vscode-restclient. And I don't really like Postman v8 either. OpenId is supported out of the box. You can view the requests in the output channel of the extension. All flows are tested with a keycloak server and openid configuration. client_credentials.env in workspace root local_tokenEndpoint=http://localhost:8080/auth/realms/myRealm/protocol/openid-connect/token
local_clientId=...
local_clientSecret=... service.http GET http://localhost:8080/service/api/v1/foo
Authorization: openid client_credentials local Output
password.env in workspace root local_tokenEndpoint=http://localhost:8080/auth/realms/myRealm/protocol/openid-connect/token
local_clientId=...
local_clientSecret=...
local_username=...
local_password=... service.http GET /service/api/v1/foo
Authorization: openid password local Authorization Code.env in workspace root local_authorizationEndpoint=http://localhost:8080/auth/realms/myRealm/protocol/openid-connect/auth
local_tokenEndpoint=http://localhost:8080/auth/realms/myRealm/protocol/openid-connect/token
local_clientId=...
local_clientSecret=... service.http GET /service/api/v1/foo
Authorization: openid authorization_code local
|
Great starting point. I think it should be fairly easy to extend that to not only handle open id but also generic OAuth2. The main differences I would currently expect is that a) it should be possible to define which scopes should be used b) the returned token might not be a JWT. I'm wondering about the purpose of the local_* name prefix? Aren't these endpoints usually provided by a remote service? Are the returned access and refresh tokens persisted or just kept in memory? |
The prefix more or less came about because I needed too many variables for the flows. And I also have the use case with the token exchange where I need a second OpenId endpoint. It is possible to pass it also by object ( |
I'm going to setup a client id in MS AAD for both OpenId sign in and to access the MS Graph API. Their Graph API uses dozens of scopes to control access to all kind of graph endpoints. |
I'm sorry - I'm a little lost. I registered a new client in AAD, I used I created a .http file to call the MS Graph /me endpoint (https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http) I didn't figure out how to now a) to start the Open Id sign in flow and then b) to use the returned access token for the bearer authorization. |
I made some progress. I missed |
After send OpenIdVariableReplacer matches auth header by regex and opens a browser with authorizationEndpoint |
That gives me now the url A working url we generate for our site is So it seems that access_type and scope parameters are added. |
Currently I assume that the next steps to generalize bearer authorization could be:
|
|
Thank you for your fast enhancement. I've installed 1.14.0 (2021-02-22) and add added the line It generates now the url |
From my understanding oidc is an specific, limited use case of oauth2. As soon as scope works I think you'll also support oauth2. For our use cases oidc is not relevant. I had been searching for a tool supporting oauth2 and nearly skipped your outstanding solution as I didn't see oauth2. So using openid as the only keyword is just fine, but I think that using the oauth2 as the main keyword might attract more users. |
code showed a "restart" button - which I think I had clicked. I now restarted it manually, but I get now the following error when clicking on send
|
I experienced this error myself. Did you select your environment? Parameter
authorizationEndpoint is not found. It will get fixed in next release
Martin Amm <notifications@github.com> schrieb am Mo., 22. Feb. 2021, 17:52:
… code showed a "restart" button - which I think I had clicked. I now
restarted it manually, but I get now the following error when clicking on
send
TypeError: Cannot read property 'indexOf' of undefined at c:\Users\ma\.vscode\extensions\anweber.vscode-httpyac-1.14.0\dist\extension.js:2:433316 at
Generator.next (<anonymous>) at c:\Users\ma\.vscode\extensions\anweber.vscode-httpyac-1.14.0\dist\extension.js:2:430055 at new Promise (<anonymous>) at
n (c:\Users\ma\.vscode\extensions\anweber.vscode-httpyac-1.14.0\dist\extension.js:2:429800) at
c:\Users\ma\.vscode\extensions\anweber.vscode-httpyac-1.14.0\dist\extension.js:2:432899 at
new Promise (<anonymous>) at w (c:\Users\ma\.vscode\extensions\anweber.vscode-httpyac-1.14.0\dist\extension.js:2:432879)
at authorization_code (c:\Users\ma\.vscode\extensions\anweber.vscode-httpyac-1.14.0\dist\extension.js:2:434934)
at c:\Users\ma\.vscode\extensions\anweber.vscode-httpyac-1.14.0\dist\extension.js:2:432103 at Generator.next (<anonymous>)
at c:\Users\ma\.vscode\extensions\anweber.vscode-httpyac-1.14.0\dist\extension.js:2:43005...
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADGP643GXBJ6HRVEZ7QK62DTAKDUPANCNFSM4X7IBUUQ>
.
|
You are right, I didn't select an environment. The error is gone now. |
I'm now login into O365, but then I'm prompted, and after clicking Open I get the error below. Is there any url on http://localhost:3000 I can invoke to see it the server responds? |
Oh man, that hurts. i am an enemy of usability. This is the good case. It worked and there is a redirect to vscode//{filename}}. The behavior occurs because you were already logged in. I change it to a boring html page:-) After that, the http server will be terminated immediately, so you will not be able to call it again. This behavior is intentional, as I still find opening an http server very unexpected, so I wanted to minimize its use (=> error page). The deadlock (browser does not open) you observed is probably due to the fact that for each request I start the server independently. I guess I will have to improve the management of the server. For me it was enough, but if the behavior is a black box, it should become more comfortable. |
I didn't check what the VS Code WebViews do exactly - but maybe they can be used to launch the auth flow inline instead of launching an external web browser? PostMan also has a simple web browser included, and they seem to just detect the final redirect. So when the server responds with 302 to redirect_uri they just detect that, but do not redirect to the page at all. Which is quite neat as you can just use any existing redirect_uri and you don't need to register an additional client id for the http://localhost:3000/callback. |
No, Webview cannot fulfill this functionality. That was my first idea. Best support I can get from vscode is Authentication Provider but this is VSCode Insiders. |
In Postman I can use any existing client id, secret & redirect_uri. It seems that e.g. https://stackoverflow.com/questions/58156957/how-postman-complete-the-oauth-2-0-flow-without-actually-redirect-to-the-redirec explains how they do it. From my understanding their "trick" is that they have an internal web browser, which can detect the 302 response from the server. |
In this case you really trust Postman with a lot (ClientSecret, ClientId, Username and Password). I also considered using a headless chrome like in Browser Preview. But it was too much effort for me and with the current implementation I can also use the password management of the browser. |
Headless would work, but it's a pain to maintain and you would need to know the users password. We already use Puppeteer in visual regression tests. But you need a script for each partner, and every time the page where their authorize the access changes, the script needs to be changed. VS Code uses a relay/proxy server https://github.com/microsoft/vscode/blob/a699ffaee62010c4634d301da2bbdb7646b8d1da/extensions/github-authentication/src/githubServer.ts#L17 to handle GitHub authorization, which stores the received token in keytar. For using a similar concept, setting up a proxy server like Grant might be an option, but would be another dependency to setup and maintain. I think using short-lived mini web server to receive the token is a brilliant idea and I also like the idea to not persist the received token at all. |
new version with fix is released. may you please test. thanks:-) |
Thank you. I now always got the tokens and accessing the MS Graph endpoints works as well. In my tests I needed to use different scopes. But after changing the .env no new token was requested. The only option to request a new token I found was restarting VS code. So it would be great if a changes of the scope value since the token was requested would be detected, or having an "request token" code lens would probably be even better. |
Presumably the scope is deifned as an inline variable. This was not considered in the cache. I have now changed the CacheKey to the actual values, so it should work after the next release. |
Using the scope values as part of the cache key will solve the problem as well. I was wondering if it would make sense to be able to explicitly request a new token even if a token is already cached. Currently VS code needs to be restarted if I want to get a new token. Having a code lens would allow to request a new one without having to restart. |
OAuthTokenStore is cleared on reset environment. Use command "refresh/
reset environment"
Martin Amm <notifications@github.com> schrieb am Sa., 27. Feb. 2021, 15:53:
… Using the scope values as part of the cache key will solve the problem as
well. I was wondering if it would make sense to be able to explicitly
request a new token even if a token is already cached. Currently VS code
needs to be restarted if I want to get a new token. Having a code lens
would allow to request a new one without having to restart.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADGP645OI5ZW3P5AMV66TWDTBEBPXANCNFSM4X7IBUUQ>
.
|
I think using the scope as part of the cache key will not always work. Let's have say
In a quick test it seems that current result is that "token1" is used again. But a new token should be requested, most OAuth implementations I'm aware of manage one token per user and client id. So as soon as "token2" was issued, "token1" became invalid and cannot be used again. |
One token per user, client and token endpoint should work. I switch between different oauth server with same user and clientId and don't want to login everytime. Do you agree? |
I now repeated my test:
My assumption was that access would fail as the current scopes do not allow access to the endpoint. But access was successful. I understand why it worked. I don't know how to get rid of the previously cached token, without restarting. I'm not sure if the current behavior is a bug or a feature. |
I have now refactored the management of OAuth tokens. These can now be viewed and also deleted using the command |
Works great. It would be nice if the logout command could also be started from code lens. |
released new version with code lens support |
Great idea. I did not like the display of the tokenEndpoint, only the display of the environment was not easily possible. The prefix is a good compromise. |
I'm currently researching an alternative for PostMan. Your extension is very impressive. We use PostMan mostly with endpoints using OAuth2 code flow to provide tokens. So I currently try to understand if there is already any way to request arbitrary OAuth2 tokens with httpyac.
I just discovered openIdVariableReplacer.ts and I'm wondering how to use it? Are you planning to add some kind of OAuth2 token handling and/or are you open to PR in that area?
The text was updated successfully, but these errors were encountered: