GitHub Authentication provider returns a different token type when connected to a CodeSpace in a browser

[alexweininger]

Does this issue occur when all extensions are disabled?: No, issue with extension

• VS Code Version: 1.80.0-insider
• OS Version: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.3

In a browser connected to a CodeSpace we receive "GitHub App user-to-server tokens" (prefixed with ghu_). In all other places I tested, we receive "OAuth access tokens" (prefixed by gho_) ¹. The user-to-server tokens are created by GitHub Apps, whereas OAuth tokens are created by OAuth apps ².

This causes issues because the tokens behave quite differently and have different, unique scoping systems. Also, if you try to request a new token with a user-to-server token (ghu) specific scope, the auth provider returns a gho token.

Steps to Reproduce:

It's easiest to reproduce this issue by using the Fugio extension.

1. Connect to a CodeSpace in a browser-based VS Code instance.
2. Run command "Fugio: Mint Token" via the palette.
3. Select "GitHub"
4. Select "Use custom value..."
5. Enter repo workflow user:email read:user

6. Select "Copy access token" and observe the token prefix.

Footnotes

1. GitHub authentication token formats: https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/ ↩

2. Differences between GitHub Apps and OAuth apps https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/differences-between-github-apps-and-oauth-apps ↩

[TylerLeonhardt]

Yeah this is expected. In the web, Codespaces supplies tokens from their GitHub App ahead of time, that are used by the extensions that we wanted to be already logged in when the Codespace loads. Any additional requests go through the OAuth flow.

Can I ask what behavior difference you're seeing that's causing you issues?

cc @joshaber @jkeech

[alexweininger]

For us specifically, the Static Web Apps service isn't compatible with the GitHub App tokens. I think the weirdest part is that we're requesting a token with OAuth-specific scopes and we receive a GitHub App token with unknown scopes.

Our current workaround is to make another getSession call with a fake scope so that VS Code gives us a OAuth token.

[TylerLeonhardt]

I'm not sure what I can do from the auth extension perspective. We likely need to figure out a way to get the SWA extension to play nice with the GitHub App tokens available in Codespaces...

[TylerLeonhardt]

This isn't something in our control. I think the SWA team needs to allow Codespaces GH Apps tokens.