Implement OAuth client in VS Code #633
Conversation
EhabY
force-pushed
the
oauth-vs-code
branch
2 times, most recently
from
78db0ad to
b93e027
Compare
EhabY
force-pushed
the
oauth-vs-code
branch
6 times, most recently
from
8e5ad5d to
423742c
Compare
code-asher
left a comment
code-asher
left a comment
There was a problem hiding this comment.
I am I think maybe halfway through I need to log off but thought I would submit what I have so far.
| const hostChanged = currentHost !== host; | ||
| const tokenChanged = currentToken !== token; |
There was a problem hiding this comment.
Do we need to handle the case of comparing an empty string to undefined? That could trigger a reconnect or suspend but maybe going from falsey to falsey should be considered as no change.
There was a problem hiding this comment.
I would consider this a change, since we can go from undefined to "" due to mTLS authentication
| const token = this.getAxiosInstance().defaults.headers.common[ | ||
| coderSessionTokenHeader | ||
| ] as string | undefined; | ||
| return this.createOneWayWebSocket<TData>(socketConfigs); |
There was a problem hiding this comment.
We have a check for the base URL just above this line but createOneWayWebSocket does this check so it seems like we no longer need the one above here.
Which would make socketFactory little more than a call to createOneWayWebSocket, perhaps that means something can be simplified here.
| const currentHost = defaults.baseURL; | ||
| const currentToken = defaults.headers.common[coderSessionTokenHeader]; |
There was a problem hiding this comment.
We grab these often enough that I wonder if we want some getters for the host and token?
| setHost = (host: string | undefined): void => { | ||
| const defaults = this.getAxiosInstance().defaults; | ||
| const currentHost = defaults.baseURL; | ||
| defaults.baseURL = host; | ||
| const currentToken = this.getAxiosInstance().defaults.headers.common[ | ||
| coderSessionTokenHeader | ||
| ] as string | undefined; | ||
| this.setCredentials(host, currentToken); | ||
| }; |
There was a problem hiding this comment.
setHost appears to be unused except in tests. Can we remove it?
Part of me wonders if we should remove setSessionToken too and only expose setCredentials just to avoid the possibility of someone setting the host and then the token or vice versa, causing two reconnections with the first failing since it temporarily has the wrong token or url.
There was a problem hiding this comment.
Yeah that could be better actually, currently we only use setSessionToken for convenience since there are a few cases where host does not change but the token does
| const httpAgent = await createHttpAgent( | ||
| vscode.workspace.getConfiguration(), | ||
| ); | ||
| private async createOneWayWebSocket<TData>( |
There was a problem hiding this comment.
The existence of createOneWayWebSocket to me implies that createWebSocket is two-way socket, but it actually also creates a one-way web socket, except potentially reconnecting. Maybe we can have just createOneWayWebSocket and it handles enableRetry?
Or, we could rename createWebSocket to createReconnectingOneWayWebSocket or something like that.
| } | ||
|
|
||
| public async getSessionAuth(label: string): Promise<SessionAuth | undefined> { | ||
| if (!label) { |
There was a problem hiding this comment.
Would this be blank if it was using the old format? But if so always returning undefined seems like it would break old connections (well, it would just require re-authenticating I think, so no big deal).
Although, IMO, it is fine to break those at this point. But then we should remove the concept of a label altogether and just go off the URL.
There was a problem hiding this comment.
Agreed, I'll remove all label, url pairs and just rely on url (we can derive the label when need be) - let's just hope URIs are not weird where sometimes they have a trailing slash (/) and sometimes they do not or sometimes they use http and sometimes https
Actually we might need to keep label for the secrets at least (or we can deduce it from the URL), because otherwise our secrets look something like coder.session.https://dev.coder.com compared to coder.session.dev.coder.com. I guess technically there's no limitation on the key format (I think) 🤔
There was a problem hiding this comment.
I forgot that the remote authority does not include the protocol so I guess we will need to look it up based on the "label" after all anyway... 😢
| INVALID, | ||
| import type { Deployment } from "./deployment"; | ||
|
|
||
| const SESSION_KEY_PREFIX = "coder.session."; |
There was a problem hiding this comment.
Thinking out loud, right now we have $key_deployment for each type of secret but would it make sense to have one secret for all the keys?
So instead of:
coder.session.dev.coder.com = "foo"
coder.oauth.tokens.dev.coder.com = "foo"
we have something like:
coder.deployments.dev.coder.com = JSON.stringify({
session: "foo",
oauth: { tokens: "foo" },
})
We could maybe have a function like update(url: string, secrets: Partial<Secrets>) or something like that, or we could still have the separate update functions like we have now.
There was a problem hiding this comment.
I did this at first but it was a headache to ensure concurrent writes and having reliable onDidChange* events. Because there is no atomic way of updating this so we have to do: read -> modify -> write which means if we have two windows that are updating two different settings we might drop some info (also events would need compare old and new values)
There was a problem hiding this comment.
Ooh yeah good point, if two instances are updating different parts of the settings. Yeah what you have makes sense. We might want to leave a comment explaining the architecture decision here.
| await this.secrets.delete(`${OAUTH_TOKENS_PREFIX}${label}`); | ||
| } | ||
|
|
||
| public async getOAuthClientRegistration( |
There was a problem hiding this comment.
Definitely a nit, but I feel like we have a lot of these set/get/delete patterns doing the same thing with different keys that could maybe be squashed into something generic.
|
|
||
| const existing = await this.getSessionAuth(label); | ||
| if (existing) { | ||
| return undefined; |
There was a problem hiding this comment.
Should we delete the legacy url and token if we have existing auth?
| } | ||
|
|
||
| await this.setSessionAuth(label, { url: legacyUrl, token: oldToken }); | ||
| await this.secrets.delete(LEGACY_SESSION_TOKEN_KEY); |
There was a problem hiding this comment.
Should we also delete the legacy url?
code-asher
left a comment
code-asher
left a comment
There was a problem hiding this comment.
I have not tested if this was an existing issue, but when I log in with a token my workspaces are not populated until I manually refresh. Are you seeing the same thing?
I have not tested logging in with oauth yet because xdg-open opens the wrong thing, but that is an issue with my system configuration. 😛 But, could be cool if there was an option in the flow to manually paste in the callback URI as a fallback.
| const AUTH_GRANT_TYPE = "authorization_code" as const; | ||
| const REFRESH_GRANT_TYPE = "refresh_token" as const; | ||
| const RESPONSE_TYPE = "code" as const; | ||
| const PKCE_CHALLENGE_METHOD = "S256" as const; |
There was a problem hiding this comment.
Why do we need the const cast? TypeScript being dumb in some way I imagine?
|
|
||
| this.refreshTimer = setTimeout(async () => { | ||
| try { | ||
| await this.refreshIfAlmostExpired(); |
There was a problem hiding this comment.
If we only refresh when almost expired, why not set a timer directly for that time rather than checking in a loop?
| */ | ||
| private hasRequiredScopes(grantedScope: string | undefined): boolean { | ||
| if (!grantedScope) { | ||
| // TODO server always returns empty scopes |
There was a problem hiding this comment.
Yeah I think this was never implemented or at least not merged.
| const DEFAULT_OAUTH_SCOPES = [ | ||
| "workspace:read", | ||
| "workspace:update", | ||
| "workspace:start", | ||
| "workspace:ssh", | ||
| "workspace:application_connect", | ||
| "template:read", | ||
| "user:read_personal", | ||
| ].join(" "); |
There was a problem hiding this comment.
Did you have a way to test if these scopes were sufficient? Not sure if there is a way right now, maybe if we try to generate a key manually with these scopes (I think this can be done on the account page) and paste it in to make sure everything works.
| registration: ClientRegistrationResponse; | ||
| }> { | ||
| const deployment = this.requireDeployment(); | ||
| const client = CoderApi.create(deployment.url, token, this.logger); |
There was a problem hiding this comment.
Oh hm so some oauth requests are not using the oauth interceptor that handles oauth errors? Looks like exchange uses the plugin client which has the interceptor, and refresh and revoke use this one without the interceptor. But it looks neither of those have their own error handling.
| @@ -0,0 +1,163 @@ | |||
| // OAuth 2.1 Grant Types | |||
| export type GrantType = | |||
There was a problem hiding this comment.
Is pulling these types from typesGenerated.ts an option?
| @@ -0,0 +1,808 @@ | |||
| import { type AxiosInstance } from "axios"; | |||
There was a problem hiding this comment.
Have we considered using an oauth client library? I could see needing to add more parts of the spec in the future, or oidc or something, and a library could possibly handle it all for us.
| await this.secretsManager.setOAuthTokens(deployment.label, tokens); | ||
| await this.secretsManager.setSessionAuth(deployment.label, { |
There was a problem hiding this comment.
From the outside looking in, it feels weird to me that we set oauth tokens and session auth separately. I think I would expect a single session auth object, and that object would have oauth information as well if it came from oauth.
Or to approach this another way, is there a use case for setting only oauth tokens but not the session auth?
| progress.report({ message: "registering client...", increment: 10 }); | ||
| const registration = await this.registerClient(axiosInstance, metadata); | ||
|
|
||
| progress.report({ message: "waiting for authorization...", increment: 30 }); |
There was a problem hiding this comment.
Is it possible to add a cancel button? If I close the browser window without authorizing it looks like I am stuck without a way to change my authorization method.
Also if I click login and enter the URL again I wonder if it should kick off the authorization flow again, right now it does nothing so I have no way to reopen the window I closed.
And, if I close the window then try to log into a different deployment, the notification for the previous one still shows but we should probably cancel it when that happens (or disable the login button while auth is ongoing).
2 participants
Closes #586