Introduce auth-provider specific props & use it for social sign in for GitHub (#251649)

ref https://github.com/microsoft/vscode/issues/251648 NOTE: the server side is not quite ready. It doesn't redirect back to VS Code properly, but this should be good to go whenever that is.
2025-12-23 19:59:37 +00:00 · 2025-06-16 14:02:36 -07:00
parent 480485f0d0
commit 2fabac413d
12 changed files with 162 additions and 28 deletions
--- a/extensions/github-authentication/package.json
+++ b/extensions/github-authentication/package.json
@@ -18,7 +18,8 @@
    "workspace"
  ],
  "enabledApiProposals": [
-    "authIssuers"
+    "authIssuers",
+    "authProviderSpecific"
  ],
  "activationEvents": [],
  "capabilities": {
--- a/extensions/github-authentication/src/flows.ts
+++ b/extensions/github-authentication/src/flows.ts
@@ -60,15 +60,46 @@ export interface IFlowQuery {
 }

 interface IFlowTriggerOptions {
+	/**
+	 * The scopes to request for the OAuth flow.
+	 */
 	scopes: string;
+	/**
+	 * The base URI for the flow. This is used to determine which GitHub instance to authenticate against.
+	 */
 	baseUri: Uri;
-	logger: Log;
+	/**
+	 * The specific auth provider to use for the flow.
+	 */
+	signInProvider?: GitHubSocialSignInProvider;
+	/**
+	 * The Uri that the OAuth flow will redirect to. (i.e. vscode.dev/redirect)
+	 */
 	redirectUri: Uri;
-	nonce: string;
+	/**
+	 * The Uri to redirect to after redirecting to the redirect Uri. (i.e. vscode://....)
+	 */
 	callbackUri: Uri;
-	uriHandler: UriEventHandler;
+	/**
+	 * The enterprise URI for the flow, if applicable.
+	 */
 	enterpriseUri?: Uri;
+	/**
+	 * The existing login which will be used to pre-fill the login prompt.
+	 */
 	existingLogin?: string;
+	/**
+	 * The nonce for this particular flow. This is used to prevent replay attacks.
+	 */
+	nonce: string;
+	/**
+	 * The instance of the Uri Handler for this extension
+	 */
+	uriHandler: UriEventHandler;
+	/**
+	 * The logger to use for this flow.
+	 */
+	logger: Log;
 }

 interface IFlow {
@@ -143,12 +174,13 @@ class UrlHandlerFlow implements IFlow {
 		scopes,
 		baseUri,
 		redirectUri,
-		logger,
-		nonce,
 		callbackUri,
-		uriHandler,
 		enterpriseUri,
-		existingLogin
+		nonce,
+		signInProvider: authProvider,
+		uriHandler,
+		existingLogin,
+		logger,
 	}: IFlowTriggerOptions): Promise<string> {
 		logger.info(`Trying without local server... (${scopes})`);
 		return await window.withProgress<string>({
@@ -177,7 +209,7 @@ class UrlHandlerFlow implements IFlow {
 			// The extra toString, parse is apparently needed for env.openExternal
 			// to open the correct URL.
 			const uri = Uri.parse(baseUri.with({
-				path: '/login/oauth/authorize',
+				path: getAuthorizeUrlPath(authProvider),
 				query: searchParams.toString()
 			}).toString(true));
 			await env.openExternal(uri);
@@ -219,10 +251,11 @@ class LocalServerFlow implements IFlow {
 		scopes,
 		baseUri,
 		redirectUri,
-		logger,
 		callbackUri,
 		enterpriseUri,
-		existingLogin
+		signInProvider: authProvider,
+		existingLogin,
+		logger
 	}: IFlowTriggerOptions): Promise<string> {
 		logger.info(`Trying with local server... (${scopes})`);
 		return await window.withProgress<string>({
@@ -246,7 +279,7 @@ class LocalServerFlow implements IFlow {
 			}

 			const loginUrl = baseUri.with({
-				path: '/login/oauth/authorize',
+				path: getAuthorizeUrlPath(authProvider),
 				query: searchParams.toString()
 			});
 			const server = new LoopbackAuthServer(path.join(__dirname, '../media'), loginUrl.toString(true), callbackUri.toString(true));
@@ -520,3 +553,24 @@ export function getFlows(query: IFlowQuery) {
 		return useFlow;
 	});
 }
+
+/**
+ * Social authentication providers for GitHub
+ */
+export const enum GitHubSocialSignInProvider {
+	Google = 'google',
+	// Apple = 'apple',
+}
+
+export function isSocialSignInProvider(provider: unknown): provider is GitHubSocialSignInProvider {
+	return provider === GitHubSocialSignInProvider.Google; // || provider === GitHubSocialSignInProvider.Apple;
+}
+
+export function getAuthorizeUrlPath(provider: GitHubSocialSignInProvider | undefined): string {
+	switch (provider) {
+		case GitHubSocialSignInProvider.Google:
+			// case GitHubSocialSignInProvider.Apple:
+			return `/sessions/social/${provider}/initiate`;
+	}
+	return '/login/oauth/authorize';
+}
--- a/extensions/github-authentication/src/github.ts
+++ b/extensions/github-authentication/src/github.ts
@@ -12,6 +12,7 @@ import { ExperimentationTelemetry } from './common/experimentationService';
 import { Log } from './common/logger';
 import { crypto } from './node/crypto';
 import { TIMED_OUT_ERROR, USER_CANCELLATION_ERROR } from './common/errors';
+import { GitHubSocialSignInProvider, isSocialSignInProvider } from './flows';

 interface SessionData {
 	id: string;
@@ -31,6 +32,20 @@ export enum AuthProviderType {
 	githubEnterprise = 'github-enterprise'
 }

+interface GitHubAuthenticationProviderOptions extends vscode.AuthenticationProviderSessionOptions {
+	/**
+	 * This is specific to GitHub and is used to determine which social sign-in provider to use.
+	 * If not provided, the default (GitHub) is used which shows all options.
+	 *
+	 * Example: If you specify Google, then the sign-in flow will skip the initial page that asks you
+	 * to choose how you want to sign in and will directly take you to the Google sign-in page.
+	 *
+	 * This allows us to show "Continue with Google" buttons in the product, rather than always
+	 * leaving it up to the user to choose the social sign-in provider on the sign-in page.
+	 */
+	readonly provider?: GitHubSocialSignInProvider;
+}
+
 export class UriEventHandler extends vscode.EventEmitter<vscode.Uri> implements vscode.UriHandler {
 	private readonly _pendingNonces = new Map<string, string[]>();
 	private readonly _codeExchangePromises = new Map<string, { promise: Promise<string>; cancel: vscode.EventEmitter<void> }>();
@@ -306,7 +321,7 @@ export class GitHubAuthenticationProvider implements vscode.AuthenticationProvid
 		this._logger.info(`Stored ${sessions.length} sessions!`);
 	}

-	public async createSession(scopes: string[], options?: vscode.AuthenticationProviderSessionOptions): Promise<vscode.AuthenticationSession> {
+	public async createSession(scopes: string[], options?: GitHubAuthenticationProviderOptions): Promise<vscode.AuthenticationSession> {
 		try {
 			// For GitHub scope list, order doesn't matter so we use a sorted scope to determine
 			// if we've got a session already.
@@ -325,9 +340,10 @@ export class GitHubAuthenticationProvider implements vscode.AuthenticationProvid

 			const sessions = await this._sessionsPromise;
 			const loginWith = options?.account?.label;
-			this._logger.info(`Logging in with '${loginWith ? loginWith : 'any'}' account...`);
+			const signInProvider = isSocialSignInProvider(options?.provider) ? options.provider : undefined;
+			this._logger.info(`Logging in with${signInProvider ? ` ${signInProvider}, ` : ''} '${loginWith ? loginWith : 'any'}' account...`);
 			const scopeString = sortedScopes.join(' ');
-			const token = await this._githubServer.login(scopeString, loginWith);
+			const token = await this._githubServer.login(scopeString, signInProvider, loginWith);
 			const session = await this.tokenToSession(token, scopes);
 			this.afterSessionLoad(session);

--- a/extensions/github-authentication/src/githubServer.ts
+++ b/extensions/github-authentication/src/githubServer.ts
@@ -10,7 +10,7 @@ import { Log } from './common/logger';
 import { isSupportedClient, isSupportedTarget } from './common/env';
 import { crypto } from './node/crypto';
 import { fetching } from './node/fetch';
-import { ExtensionHost, GitHubTarget, getFlows } from './flows';
+import { ExtensionHost, GitHubSocialSignInProvider, GitHubTarget, getFlows } from './flows';
 import { CANCELLATION_ERROR, NETWORK_ERROR, USER_CANCELLATION_ERROR } from './common/errors';
 import { Config } from './config';
 import { base64Encode } from './node/buffer';
@@ -19,7 +19,7 @@ const REDIRECT_URL_STABLE = 'https://vscode.dev/redirect';
 const REDIRECT_URL_INSIDERS = 'https://insiders.vscode.dev/redirect';

 export interface IGitHubServer {
-	login(scopes: string, existingLogin?: string): Promise<string>;
+	login(scopes: string, signInProvider?: GitHubSocialSignInProvider, existingLogin?: string): Promise<string>;
 	logout(session: vscode.AuthenticationSession): Promise<void>;
 	getUserInfo(token: string): Promise<{ id: string; accountName: string }>;
 	sendAdditionalTelemetryInfo(session: vscode.AuthenticationSession): Promise<void>;
@@ -87,7 +87,7 @@ export class GitHubServer implements IGitHubServer {
 		return this._isNoCorsEnvironment;
 	}

-	public async login(scopes: string, existingLogin?: string): Promise<string> {
+	public async login(scopes: string, signInProvider?: GitHubSocialSignInProvider, existingLogin?: string): Promise<string> {
 		this._logger.info(`Logging in for the following scopes: ${scopes}`);

 		// Used for showing a friendlier message to the user when the explicitly cancel a flow.
@@ -135,6 +135,7 @@ export class GitHubServer implements IGitHubServer {
 					scopes,
 					callbackUri,
 					nonce,
+					signInProvider,
 					baseUri: this.baseUri,
 					logger: this._logger,
 					uriHandler: this._uriHandler,
--- a/extensions/github-authentication/tsconfig.json
+++ b/extensions/github-authentication/tsconfig.json
@@ -13,6 +13,7 @@
 	"include": [
 		"src/**/*",
 		"../../src/vscode-dts/vscode.d.ts",
-		"../../src/vscode-dts/vscode.proposed.authIssuers.d.ts"
+		"../../src/vscode-dts/vscode.proposed.authIssuers.d.ts",
+		"../../src/vscode-dts/vscode.proposed.authProviderSpecific.d.ts"
 	]
 }
--- a/src/vs/platform/extensions/common/extensionsApiProposals.ts
+++ b/src/vs/platform/extensions/common/extensionsApiProposals.ts
@@ -25,6 +25,9 @@ const _allApiProposals = {
 	authLearnMore: {
 		proposal: 'https://raw.githubusercontent.com/microsoft/vscode/main/src/vscode-dts/vscode.proposed.authLearnMore.d.ts',
 	},
+	authProviderSpecific: {
+		proposal: 'https://raw.githubusercontent.com/microsoft/vscode/main/src/vscode-dts/vscode.proposed.authProviderSpecific.d.ts',
+	},
 	authSession: {
 		proposal: 'https://raw.githubusercontent.com/microsoft/vscode/main/src/vscode-dts/vscode.proposed.authSession.d.ts',
 	},
--- a/src/vs/workbench/api/browser/mainThreadAuthentication.ts
+++ b/src/vs/workbench/api/browser/mainThreadAuthentication.ts
@@ -6,7 +6,7 @@
 import { Disposable, DisposableMap } from '../../../base/common/lifecycle.js';
 import * as nls from '../../../nls.js';
 import { extHostNamedCustomer, IExtHostContext } from '../../services/extensions/common/extHostCustomers.js';
-import { IAuthenticationCreateSessionOptions, AuthenticationSession, AuthenticationSessionsChangeEvent, IAuthenticationProvider, IAuthenticationService, IAuthenticationExtensionsService, INTERNAL_AUTH_PROVIDER_PREFIX as INTERNAL_MODEL_AUTH_PROVIDER_PREFIX, AuthenticationSessionAccount, IAuthenticationProviderSessionOptions } from '../../services/authentication/common/authentication.js';
+import { AuthenticationSession, AuthenticationSessionsChangeEvent, IAuthenticationProvider, IAuthenticationService, IAuthenticationExtensionsService, INTERNAL_AUTH_PROVIDER_PREFIX as INTERNAL_MODEL_AUTH_PROVIDER_PREFIX, AuthenticationSessionAccount, IAuthenticationProviderSessionOptions } from '../../services/authentication/common/authentication.js';
 import { ExtHostAuthenticationShape, ExtHostContext, MainContext, MainThreadAuthenticationShape } from '../common/extHost.protocol.js';
 import { IDialogService, IPromptButton } from '../../../platform/dialogs/common/dialogs.js';
 import Severity from '../../../base/common/severity.js';
@@ -64,7 +64,7 @@ export class MainThreadAuthenticationProvider extends Disposable implements IAut
 		return this._proxy.$getSessions(this.id, scopes, options);
 	}

-	createSession(scopes: string[], options: IAuthenticationCreateSessionOptions): Promise<AuthenticationSession> {
+	createSession(scopes: string[], options: IAuthenticationProviderSessionOptions): Promise<AuthenticationSession> {
 		return this._proxy.$createSession(this.id, scopes, options);
 	}

--- a/src/vs/workbench/api/common/extHost.protocol.ts
+++ b/src/vs/workbench/api/common/extHost.protocol.ts
@@ -78,7 +78,7 @@ import { Timeline, TimelineChangeEvent, TimelineOptions, TimelineProviderDescrip
 import { TypeHierarchyItem } from '../../contrib/typeHierarchy/common/typeHierarchy.js';
 import { RelatedInformationResult, RelatedInformationType } from '../../services/aiRelatedInformation/common/aiRelatedInformation.js';
 import { AiSettingsSearchProviderOptions, AiSettingsSearchResult } from '../../services/aiSettingsSearch/common/aiSettingsSearch.js';
-import { AuthenticationSession, AuthenticationSessionAccount, AuthenticationSessionsChangeEvent, IAuthenticationCreateSessionOptions, IAuthenticationProviderSessionOptions } from '../../services/authentication/common/authentication.js';
+import { AuthenticationSession, AuthenticationSessionAccount, AuthenticationSessionsChangeEvent, IAuthenticationCreateSessionOptions, IAuthenticationGetSessionsOptions } from '../../services/authentication/common/authentication.js';
 import { EditorGroupColumn } from '../../services/editor/common/editorGroupColumn.js';
 import { IExtensionDescriptionDelta, IStaticWorkspaceData } from '../../services/extensions/common/extensionHostProtocol.js';
 import { IResolveAuthorityResult } from '../../services/extensions/common/extensionHostProxy.js';
@@ -1981,7 +1981,7 @@ export interface ExtHostLabelServiceShape {
 }

 export interface ExtHostAuthenticationShape {
-	$getSessions(id: string, scopes: string[] | undefined, options: IAuthenticationProviderSessionOptions): Promise<ReadonlyArray<AuthenticationSession>>;
+	$getSessions(id: string, scopes: string[] | undefined, options: IAuthenticationGetSessionsOptions): Promise<ReadonlyArray<AuthenticationSession>>;
 	$createSession(id: string, scopes: string[], options: IAuthenticationCreateSessionOptions): Promise<AuthenticationSession>;
 	$removeSession(id: string, sessionId: string): Promise<void>;
 	$onDidChangeAuthenticationSessions(id: string, label: string, extensionIdFilter?: string[]): Promise<void>;
--- a/src/vs/workbench/contrib/chat/common/chatEntitlementService.ts
+++ b/src/vs/workbench/contrib/chat/common/chatEntitlementService.ts
@@ -847,6 +847,7 @@ export class ChatEntitlementRequests extends Disposable {

 	async signIn() {
 		const providerId = ChatEntitlementRequests.providerId(this.configurationService);
+		// TODO: Pass in { provider: 'google' } for google sign-in
 		const session = await this.authenticationService.createSession(providerId, defaultChat.providerScopes[0]);

 		this.authenticationExtensionsService.updateAccountPreference(defaultChat.extensionId, providerId, session.account);
--- a/src/vs/workbench/services/authentication/browser/authenticationService.ts
+++ b/src/vs/workbench/services/authentication/browser/authenticationService.ts
@@ -281,7 +281,7 @@ export class AuthenticationService extends Disposable implements IAuthentication
 					throw new Error(`The authorization server '${authServerStr}' is not supported by the authentication provider '${id}'.`);
 				}
 			}
-			return await authProvider.getSessions(scopes, { account: options?.account, authorizationServer: options?.authorizationServer });
+			return await authProvider.getSessions(scopes, { ...options });
 		} else {
 			throw new Error(`No authentication provider '${id}' is currently registered.`);
 		}
@@ -294,10 +294,7 @@ export class AuthenticationService extends Disposable implements IAuthentication

 		const authProvider = this._authenticationProviders.get(id) || await this.tryActivateProvider(id, !!options?.activateImmediate);
 		if (authProvider) {
-			return await authProvider.createSession(scopes, {
-				account: options?.account,
-				authorizationServer: options?.authorizationServer
-			});
+			return await authProvider.createSession(scopes, { ...options });
 		} else {
 			throw new Error(`No authentication provider '${id}' is currently registered.`);
 		}
--- a/src/vs/workbench/services/authentication/common/authentication.ts
+++ b/src/vs/workbench/services/authentication/common/authentication.ts
@@ -38,6 +38,9 @@ export interface AuthenticationProviderInformation {
 	authorizationServerGlobs?: ReadonlyArray<string>;
 }

+/**
+ * Options for creating an authentication session via the service.
+ */
 export interface IAuthenticationCreateSessionOptions {
 	activateImmediate?: boolean;
 	/**
@@ -50,8 +53,18 @@ export interface IAuthenticationCreateSessionOptions {
 	 * the provider can use this authorization server, then it is passed down to the auth provider.
 	 */
 	authorizationServer?: URI;
+	/**
+	 * Allows the authentication provider to take in additional parameters.
+	 * It is up to the provider to define what these parameters are and handle them.
+	 * This is useful for passing in additional information that is specific to the provider
+	 * and not part of the standard authentication flow.
+	 */
+	[key: string]: any;
 }

+/**
+ * Options for getting authentication sessions via the service.
+ */
 export interface IAuthenticationGetSessionsOptions {
 	/**
 	 * The account that is being asked about. If this is passed in, the provider should
@@ -63,6 +76,13 @@ export interface IAuthenticationGetSessionsOptions {
 	 * the provider can use this authorization server, then it is passed down to the auth provider.
 	 */
 	authorizationServer?: URI;
+	/**
+	 * Allows the authentication provider to take in additional parameters.
+	 * It is up to the provider to define what these parameters are and handle them.
+	 * This is useful for passing in additional information that is specific to the provider
+	 * and not part of the standard authentication flow.
+	 */
+	[key: string]: any;
 }

 export interface AllowedExtension {
@@ -294,6 +314,9 @@ export interface IAuthenticationExtensionsService {
 	requestNewSession(providerId: string, scopes: string[], extensionId: string, extensionName: string): Promise<void>;
 }

+/**
+ * Options passed to the authentication provider when asking for sessions.
+ */
 export interface IAuthenticationProviderSessionOptions {
 	/**
 	 * The account that is being asked about. If this is passed in, the provider should
@@ -305,6 +328,13 @@ export interface IAuthenticationProviderSessionOptions {
 	 * attempt to return sessions that are only related to this authorization server.
 	 */
 	authorizationServer?: URI;
+	/**
+	 * Allows the authentication provider to take in additional parameters.
+	 * It is up to the provider to define what these parameters are and handle them.
+	 * This is useful for passing in additional information that is specific to the provider
+	 * and not part of the standard authentication flow.
+	 */
+	[key: string]: any;
 }

 /**
--- a/src/vscode-dts/vscode.proposed.authProviderSpecific.d.ts
+++ b/src/vscode-dts/vscode.proposed.authProviderSpecific.d.ts
@@ -0,0 +1,30 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+declare module 'vscode' {
+
+	// https://github.com/microsoft/vscode/issues/251648
+
+	export interface AuthenticationProviderSessionOptions {
+		/**
+		 * Allows the authentication provider to take in additional parameters.
+		 * It is up to the provider to define what these parameters are and handle them.
+		 * This is useful for passing in additional information that is specific to the provider
+		 * and not part of the standard authentication flow.
+		 */
+		[key: string]: any;
+	}
+
+	// TODO: Implement this interface if needed via an extension
+	// export interface AuthenticationGetSessionOptions {
+	// 	/**
+	// 	 * Allows the authentication provider to take in additional parameters.
+	// 	 * It is up to the provider to define what these parameters are and handle them.
+	// 	 * This is useful for passing in additional information that is specific to the provider
+	// 	 * and not part of the standard authentication flow.
+	// 	 */
+	// 	[key: string]: any;
+	// }
+}