Microsoft/vscode
1
0
Fork 0
mirror of https://github.com/microsoft/vscode.git synced 2026-05-19 14:49:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
a1106512ca64b5eb99df93dd8a6fc76d0b229ec5
vscode/extensions/microsoft-authentication/src/common/scopeData.ts
T
Tyler James Leonhardt b8be82f239 Workaround MSAL behavior (#228289) 
* Workaround MSAL behavior

The main change this makes is around what scopes are being requested.

Due to an MSAL or Identity issue, if you request a resource like `FOO/user_impersonation` and then `email`... the 2nd call does not use Graph and instead uses FOO and FOO may not have an `email` scope available. To work around this, if we detect that all scopes being requested are [OIDC scopes](https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#openid-connect-scopes) then we tack on `User.Read` to make sure that what gets returned is in fact from Graph. This prevents an infinite loop that was happening before. MSAL/Identity should fix this behavior, but this works for now.

Additionally, MSAL does already tack on OIDC scopes to all requests so I removed the logic that adds those.

Couple small things:
* Make sure MSAL logs get logged (trace)
* Use a Sequencer to make sure acquireToken calls are done sequentially just in case.

* more comment
2024-09-12 02:29:29 +02:00

86 lines
2.8 KiB
TypeScript
Raw Blame History

/*---------------------------------------------------------------------------------------------
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License. See License.txt in the project root for license information.
*--------------------------------------------------------------------------------------------*/
const DEFAULT_CLIENT_ID = 'aebc6443-996d-45c2-90f0-388ff96faa56';
const DEFAULT_TENANT = 'organizations';
const OIDC_SCOPES = ['openid', 'email', 'profile', 'offline_access'];
const GRAPH_TACK_ON_SCOPE = 'User.Read';
export class ScopeData {
/**
* The full list of scopes including:
* * the original scopes passed to the constructor
* * internal VS Code scopes (e.g. `VSCODE_CLIENT_ID:...`)
* * the default scopes (`openid`, `email`, `profile`, `offline_access`)
*/
readonly allScopes: string[];
/**
* The full list of scopes as a space-separated string. For logging.
*/
readonly scopeStr: string;
/**
* The list of scopes to send to the token endpoint. This is the same as `scopes` but without the internal VS Code scopes.
*/
readonly scopesToSend: string[];
/**
* The client ID to use for the token request. This is the value of the `VSCODE_CLIENT_ID:...` scope if present, otherwise the default client ID.
*/
readonly clientId: string;
/**
* The tenant ID to use for the token request. This is the value of the `VSCODE_TENANT:...` scope if present, otherwise the default tenant ID.
*/
readonly tenant: string;
constructor(readonly originalScopes: readonly string[] = []) {
const modifiedScopes = [...originalScopes];
modifiedScopes.sort();
this.allScopes = modifiedScopes;
this.scopeStr = modifiedScopes.join(' ');
this.scopesToSend = this.getScopesToSend(modifiedScopes);
this.clientId = this.getClientId(this.allScopes);
this.tenant = this.getTenantId(this.allScopes);
}
private getClientId(scopes: string[]) {
return scopes.reduce<string | undefined>((prev, current) => {
if (current.startsWith('VSCODE_CLIENT_ID:')) {
return current.split('VSCODE_CLIENT_ID:')[1];
}
return prev;
}, undefined) ?? DEFAULT_CLIENT_ID;
}
private getTenantId(scopes: string[]) {
return scopes.reduce<string | undefined>((prev, current) => {
if (current.startsWith('VSCODE_TENANT:')) {
return current.split('VSCODE_TENANT:')[1];
}
return prev;
}, undefined) ?? DEFAULT_TENANT;
}
private getScopesToSend(scopes: string[]) {
const scopesToSend = scopes.filter(s => !s.startsWith('VSCODE_'));
const set = new Set(scopesToSend);
for (const scope of OIDC_SCOPES) {
set.delete(scope);
}
// If we only had OIDC scopes, we need to add a tack-on scope to make the request valid
// by forcing Identity into treating this as a Graph token request.
if (!set.size) {
scopesToSend.push(GRAPH_TACK_ON_SCOPE);
}
return scopesToSend;
}
}
Reference in New Issue View Git Blame Copy Permalink