From b4c1eaa7c86d5daa45f6a41e255e70ae3cb03326 Mon Sep 17 00:00:00 2001
From: Tyler James Leonhardt <2644648+TylerLeonhardt@users.noreply.github.com>
Date: Tue, 23 Sep 2025 10:21:21 -0700
Subject: [PATCH] Finalize Auth Challenges caller API (#268006)

Fixes https://github.com/microsoft/vscode/issues/260156
---
 .../workbench/api/common/extHost.api.impl.ts  |  3 -
 .../api/common/extHostAuthentication.ts       | 12 ---
 src/vscode-dts/vscode.d.ts                    | 84 ++++++++++++-----
 ...ode.proposed.authenticationChallenges.d.ts | 94 +------------------
 4 files changed, 61 insertions(+), 132 deletions(-)

diff --git a/src/vs/workbench/api/common/extHost.api.impl.ts b/src/vs/workbench/api/common/extHost.api.impl.ts
index 894bd1b233a..b6fe410e31d 100644
--- a/src/vs/workbench/api/common/extHost.api.impl.ts
+++ b/src/vs/workbench/api/common/extHost.api.impl.ts
@@ -302,9 +302,6 @@ export function createApiFactoryAndRegisterActors(accessor: ServicesAccessor): I
 
 		const authentication: typeof vscode.authentication = {
 			getSession(providerId: string, scopesOrChallenge: readonly string[] | vscode.AuthenticationWwwAuthenticateRequest, options?: vscode.AuthenticationGetSessionOptions) {
-				if (!Array.isArray(scopesOrChallenge)) {
-					checkProposedApiEnabled(extension, 'authenticationChallenges');
-				}
 				if (
 					(typeof options?.forceNewSession === 'object' && options.forceNewSession.learnMore) ||
 					(typeof options?.createIfNone === 'object' && options.createIfNone.learnMore)
diff --git a/src/vs/workbench/api/common/extHostAuthentication.ts b/src/vs/workbench/api/common/extHostAuthentication.ts
index 39814f50421..27a36da458a 100644
--- a/src/vs/workbench/api/common/extHostAuthentication.ts
+++ b/src/vs/workbench/api/common/extHostAuthentication.ts
@@ -88,18 +88,6 @@ export class ExtHostAuthentication implements ExtHostAuthenticationShape {
 		const keys: (keyof vscode.AuthenticationGetSessionOptions)[] = Object.keys(options) as (keyof vscode.AuthenticationGetSessionOptions)[];
 		const optionsStr = keys.sort().map(key => `${key}:${!!options[key]}`).join(', ');
 
-		// old shape, remove next milestone
-		if (
-			'scopes' in scopesOrRequest
-			&& typeof scopesOrRequest.scopes === 'string'
-			&& !scopesOrRequest.fallbackScopes
-		) {
-			scopesOrRequest = {
-				wwwAuthenticate: scopesOrRequest.wwwAuthenticate,
-				fallbackScopes: scopesOrRequest.scopes
-			};
-		}
-
 		let singlerKey: string;
 		if (isAuthenticationWwwAuthenticateRequest(scopesOrRequest)) {
 			const challenge = scopesOrRequest as vscode.AuthenticationWwwAuthenticateRequest;
diff --git a/src/vscode-dts/vscode.d.ts b/src/vscode-dts/vscode.d.ts
index 24912eec95d..9d560636bd3 100644
--- a/src/vscode-dts/vscode.d.ts
+++ b/src/vscode-dts/vscode.d.ts
@@ -17814,6 +17814,30 @@ declare module 'vscode' {
 		account?: AuthenticationSessionAccountInformation;
 	}
 
+	/**
+	 * Represents parameters for creating a session based on a WWW-Authenticate header value.
+	 * This is used when an API returns a 401 with a WWW-Authenticate header indicating
+	 * that additional authentication is required. The details of which will be passed down
+	 * to the authentication provider to create a session.
+	 *
+	 * @note The authorization provider must support handling challenges and specifically
+	 * the challenges in this WWW-Authenticate value.
+	 * @note For more information on WWW-Authenticate please see https://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/WWW-Authenticate
+	 */
+	export interface AuthenticationWwwAuthenticateRequest {
+		/**
+		 * The raw WWW-Authenticate header value that triggered this challenge.
+		 * This will be parsed by the authentication provider to extract the necessary
+		 * challenge information.
+		 */
+		readonly wwwAuthenticate: string;
+
+		/**
+		 * The fallback scopes to use if no scopes are found in the WWW-Authenticate header.
+		 */
+		readonly fallbackScopes?: readonly string[];
+	}
+
 	/**
 	 * Basic information about an {@link AuthenticationProvider}
 	 */
@@ -17936,49 +17960,59 @@ declare module 'vscode' {
 	 */
 	export namespace authentication {
 		/**
-		 * Get an authentication session matching the desired scopes. Rejects if a provider with providerId is not
-		 * registered, or if the user does not consent to sharing authentication information with
-		 * the extension. If there are multiple sessions with the same scopes, the user will be shown a
-		 * quickpick to select which account they would like to use.
+		 * Get an authentication session matching the desired scopes or satisfying the WWW-Authenticate request. Rejects if
+		 * a provider with providerId is not registered, or if the user does not consent to sharing authentication information
+		 * with the extension. If there are multiple sessions with the same scopes, the user will be shown a quickpick to
+		 * select which account they would like to use.
+		 *
+		 * Built-in auth providers include:
+		 * * 'github' - For GitHub.com
+		 * * 'microsoft' For both personal & organizational Microsoft accounts
+		 * * (less common) 'github-enterprise' - for alternative GitHub hostings, GHE.com, GitHub Enterprise Server
+		 * * (less common) 'microsoft-sovereign-cloud' - for alternative Microsoft clouds
 		 *
-		 * Currently, there are only two authentication providers that are contributed from built in extensions
-		 * to the editor that implement GitHub and Microsoft authentication: their providerId's are 'github' and 'microsoft'.
 		 * @param providerId The id of the provider to use
-		 * @param scopes A list of scopes representing the permissions requested. These are dependent on the authentication provider
+		 * @param scopeListOrRequest A scope list of permissions requested or a WWW-Authenticate request. These are dependent on the authentication provider.
 		 * @param options The {@link AuthenticationGetSessionOptions} to use
 		 * @returns A thenable that resolves to an authentication session
 		 */
-		export function getSession(providerId: string, scopes: readonly string[], options: AuthenticationGetSessionOptions & { /** */createIfNone: true | AuthenticationGetSessionPresentationOptions }): Thenable<AuthenticationSession>;
+		export function getSession(providerId: string, scopeListOrRequest: ReadonlyArray<string> | AuthenticationWwwAuthenticateRequest, options: AuthenticationGetSessionOptions & { /** */createIfNone: true | AuthenticationGetSessionPresentationOptions }): Thenable<AuthenticationSession>;
 
 		/**
-		 * Get an authentication session matching the desired scopes. Rejects if a provider with providerId is not
-		 * registered, or if the user does not consent to sharing authentication information with
-		 * the extension. If there are multiple sessions with the same scopes, the user will be shown a
-		 * quickpick to select which account they would like to use.
+		 * Get an authentication session matching the desired scopes or request. Rejects if a provider with providerId is not
+		 * registered, or if the user does not consent to sharing authentication information with the extension. If there
+		 * are multiple sessions with the same scopes, the user will be shown a quickpick to select which account they would like to use.
+		 *
+		 * Built-in auth providers include:
+		 * * 'github' - For GitHub.com
+		 * * 'microsoft' For both personal & organizational Microsoft accounts
+		 * * (less common) 'github-enterprise' - for alternative GitHub hostings, GHE.com, GitHub Enterprise Server
+		 * * (less common) 'microsoft-sovereign-cloud' - for alternative Microsoft clouds
 		 *
-		 * Currently, there are only two authentication providers that are contributed from built in extensions
-		 * to the editor that implement GitHub and Microsoft authentication: their providerId's are 'github' and 'microsoft'.
 		 * @param providerId The id of the provider to use
-		 * @param scopes A list of scopes representing the permissions requested. These are dependent on the authentication provider
+		 * @param scopeListOrRequest A scope list of permissions requested or a WWW-Authenticate request. These are dependent on the authentication provider.
 		 * @param options The {@link AuthenticationGetSessionOptions} to use
 		 * @returns A thenable that resolves to an authentication session
 		 */
-		export function getSession(providerId: string, scopes: readonly string[], options: AuthenticationGetSessionOptions & { /** literal-type defines return type */forceNewSession: true | AuthenticationGetSessionPresentationOptions | AuthenticationForceNewSessionOptions }): Thenable<AuthenticationSession>;
+		export function getSession(providerId: string, scopeListOrRequest: ReadonlyArray<string> | AuthenticationWwwAuthenticateRequest, options: AuthenticationGetSessionOptions & { /** literal-type defines return type */forceNewSession: true | AuthenticationGetSessionPresentationOptions | AuthenticationForceNewSessionOptions }): Thenable<AuthenticationSession>;
 
 		/**
-		 * Get an authentication session matching the desired scopes. Rejects if a provider with providerId is not
-		 * registered, or if the user does not consent to sharing authentication information with
-		 * the extension. If there are multiple sessions with the same scopes, the user will be shown a
-		 * quickpick to select which account they would like to use.
+		 * Get an authentication session matching the desired scopes or request. Rejects if a provider with providerId is not
+		 * registered, or if the user does not consent to sharing authentication information with the extension. If there
+		 * are multiple sessions with the same scopes, the user will be shown a quickpick to select which account they would like to use.
+		 *
+		 * Built-in auth providers include:
+		 * * 'github' - For GitHub.com
+		 * * 'microsoft' For both personal & organizational Microsoft accounts
+		 * * (less common) 'github-enterprise' - for alternative GitHub hostings, GHE.com, GitHub Enterprise Server
+		 * * (less common) 'microsoft-sovereign-cloud' - for alternative Microsoft clouds
 		 *
-		 * Currently, there are only two authentication providers that are contributed from built in extensions
-		 * to the editor that implement GitHub and Microsoft authentication: their providerId's are 'github' and 'microsoft'.
 		 * @param providerId The id of the provider to use
-		 * @param scopes A list of scopes representing the permissions requested. These are dependent on the authentication provider
+		 * @param scopeListOrRequest A scope list of permissions requested or a WWW-Authenticate request. These are dependent on the authentication provider.
 		 * @param options The {@link AuthenticationGetSessionOptions} to use
-		 * @returns A thenable that resolves to an authentication session if available, or undefined if there are no sessions
+		 * @returns A thenable that resolves to an authentication session or undefined if a silent flow was used and no session was found
 		 */
-		export function getSession(providerId: string, scopes: readonly string[], options?: AuthenticationGetSessionOptions): Thenable<AuthenticationSession | undefined>;
+		export function getSession(providerId: string, scopeListOrRequest: ReadonlyArray<string> | AuthenticationWwwAuthenticateRequest, options?: AuthenticationGetSessionOptions): Thenable<AuthenticationSession | undefined>;
 
 		/**
 		 * Get all accounts that the user is logged in to for the specified provider.
diff --git a/src/vscode-dts/vscode.proposed.authenticationChallenges.d.ts b/src/vscode-dts/vscode.proposed.authenticationChallenges.d.ts
index 3cc2d5b7696..c3a0b67a3a6 100644
--- a/src/vscode-dts/vscode.proposed.authenticationChallenges.d.ts
+++ b/src/vscode-dts/vscode.proposed.authenticationChallenges.d.ts
@@ -5,98 +5,8 @@
 
 declare module 'vscode' {
 
-	// https://github.com/microsoft/vscode/issues/260156
-
-	/**********
-	 * "Extension asking for auth" API
-	 *******/
-
-	/**
-	 * Represents parameters for creating a session based on a WWW-Authenticate header value.
-	 * This is used when an API returns a 401 with a WWW-Authenticate header indicating
-	 * that additional authentication is required. The details of which will be passed down
-	 * to the authentication provider to create a session.
-	 *
-	 * @note The authorization provider must support handling challenges and specifically
-	 * the challenges in this WWW-Authenticate value.
-	 * @note For more information on WWW-Authenticate please see https://developer.mozilla.org/docs/Web/HTTP/Reference/Headers/WWW-Authenticate
-	 */
-	export interface AuthenticationWwwAuthenticateRequest {
-		/**
-		 * The raw WWW-Authenticate header value that triggered this challenge.
-		 * This will be parsed by the authentication provider to extract the necessary
-		 * challenge information.
-		 */
-		readonly wwwAuthenticate: string;
-
-		/**
-		 * The fallback scopes to use if no scopes are found in the WWW-Authenticate header.
-		 */
-		readonly fallbackScopes?: readonly string[];
-
-		/**
-		 * @deprecated Use `fallbackScopes` instead.
-		 */
-		readonly scopes?: readonly string[];
-	}
-
-	export namespace authentication {
-		/**
-		 * Get an authentication session matching the desired scopes or satisfying the WWW-Authenticate request. Rejects if
-		 * a provider with providerId is not registered, or if the user does not consent to sharing authentication information
-		 * with the extension. If there are multiple sessions with the same scopes, the user will be shown a quickpick to
-		 * select which account they would like to use.
-		 *
-		 * Built-in auth providers include:
-		 * * 'github' - For GitHub.com
-		 * * 'microsoft' For both personal & organizational Microsoft accounts
-		 * * (less common) 'github-enterprise' - for alternative GitHub hostings, GHE.com, GitHub Enterprise Server
-		 * * (less common) 'microsoft-sovereign-cloud' - for alternative Microsoft clouds
-		 *
-		 * @param providerId The id of the provider to use
-		 * @param scopeListOrRequest A scope list of permissions requested or a WWW-Authenticate request. These are dependent on the authentication provider.
-		 * @param options The {@link AuthenticationGetSessionOptions} to use
-		 * @returns A thenable that resolves to an authentication session
-		 */
-		export function getSession(providerId: string, scopeListOrRequest: ReadonlyArray<string> | AuthenticationWwwAuthenticateRequest, options: AuthenticationGetSessionOptions & { /** */createIfNone: true | AuthenticationGetSessionPresentationOptions }): Thenable<AuthenticationSession>;
-
-		/**
-		 * Get an authentication session matching the desired scopes or request. Rejects if a provider with providerId is not
-		 * registered, or if the user does not consent to sharing authentication information with the extension. If there
-		 * are multiple sessions with the same scopes, the user will be shown a quickpick to select which account they would like to use.
-		 *
-		 * Built-in auth providers include:
-		 * * 'github' - For GitHub.com
-		 * * 'microsoft' For both personal & organizational Microsoft accounts
-		 * * (less common) 'github-enterprise' - for alternative GitHub hostings, GHE.com, GitHub Enterprise Server
-		 * * (less common) 'microsoft-sovereign-cloud' - for alternative Microsoft clouds
-		 *
-		 * @param providerId The id of the provider to use
-		 * @param scopeListOrRequest A scope list of permissions requested or a WWW-Authenticate request. These are dependent on the authentication provider.
-		 * @param options The {@link AuthenticationGetSessionOptions} to use
-		 * @returns A thenable that resolves to an authentication session
-		 */
-		export function getSession(providerId: string, scopeListOrRequest: ReadonlyArray<string> | AuthenticationWwwAuthenticateRequest, options: AuthenticationGetSessionOptions & { /** literal-type defines return type */forceNewSession: true | AuthenticationGetSessionPresentationOptions | AuthenticationForceNewSessionOptions }): Thenable<AuthenticationSession>;
-
-		/**
-		 * Get an authentication session matching the desired scopes or request. Rejects if a provider with providerId is not
-		 * registered, or if the user does not consent to sharing authentication information with the extension. If there
-		 * are multiple sessions with the same scopes, the user will be shown a quickpick to select which account they would like to use.
-		 *
-		 * Built-in auth providers include:
-		 * * 'github' - For GitHub.com
-		 * * 'microsoft' For both personal & organizational Microsoft accounts
-		 * * (less common) 'github-enterprise' - for alternative GitHub hostings, GHE.com, GitHub Enterprise Server
-		 * * (less common) 'microsoft-sovereign-cloud' - for alternative Microsoft clouds
-		 *
-		 * @param providerId The id of the provider to use
-		 * @param scopeListOrRequest A scope list of permissions requested or a WWW-Authenticate request. These are dependent on the authentication provider.
-		 * @param options The {@link AuthenticationGetSessionOptions} to use
-		 * @returns A thenable that resolves to an authentication session or undefined if a silent flow was used and no session was found
-		 */
-		export function getSession(providerId: string, scopeListOrRequest: ReadonlyArray<string> | AuthenticationWwwAuthenticateRequest, options?: AuthenticationGetSessionOptions): Thenable<AuthenticationSession | undefined>;
-	}
-
+	// https://github.com/microsoft/vscode/issues/267992
+	// and historically: https://github.com/microsoft/vscode/issues/260156
 
 	/**********
 	 * "Extension providing auth" API