Make the Dynamic Auth Providers Resource Specific (#249931)

Pretty much throws away any efforts of reuse for these auth providers... but it should support endpoints that care about the `resource` query parameter.

And lets us use the `resource_name` as something we can nicely show to the user.

Author: TylerLeonhardt

src/vs/base/common/oauth.ts

@@ -20,6 +20,11 @@ export interface IAuthorizationProtectedResourceMetadata {
 	 */
 	resource: string;
 
+	/**
+	 * OPTIONAL. Human-readable name of the protected resource intended for display to the end user.
+	 */
+	resource_name?: string;
+
 	/**
 	 * OPTIONAL. JSON array containing a list of OAuth authorization server issuer identifiers.
 	 */

src/vs/workbench/api/browser/mainThreadAuthentication.ts

@@ -113,13 +113,18 @@ export class MainThreadAuthentication extends Disposable implements MainThreadAu
 		this._register(authenticationService.registerAuthenticationProviderHostDelegate({
 			// Prefer Node.js extension hosts when they're available. No CORS issues etc.
 			priority: extHostContext.extensionHostKind === ExtensionHostKind.LocalWebWorker ? 0 : 1,
-			create: async (serverMetadata) => {
+			create: async (serverMetadata, resource) => {
 				const clientId = this.dynamicAuthProviderStorageService.getClientId(serverMetadata.issuer);
 				let initialTokens: (IAuthorizationTokenResponse & { created_at: number })[] | undefined = undefined;
 				if (clientId) {
 					initialTokens = await this.dynamicAuthProviderStorageService.getSessionsForDynamicAuthProvider(serverMetadata.issuer, clientId);
 				}
-				return this._proxy.$registerDynamicAuthProvider(serverMetadata, clientId, initialTokens);
+				return await this._proxy.$registerDynamicAuthProvider(
+					serverMetadata,
+					resource,
+					clientId,
+					initialTokens
+				);
 			}
 		}));
 	}

src/vs/workbench/api/browser/mainThreadMcp.ts

@@ -24,7 +24,7 @@ import { IExtHostContext, extHostNamedCustomer } from '../../services/extensions
 import { Proxied } from '../../services/extensions/common/proxyIdentifier.js';
 import { ExtHostContext, ExtHostMcpShape, MainContext, MainThreadMcpShape } from '../common/extHost.protocol.js';
 import { CancellationError } from '../../../base/common/errors.js';
-import { IAuthorizationServerMetadata } from '../../../base/common/oauth.js';
+import { IAuthorizationProtectedResourceMetadata, IAuthorizationServerMetadata } from '../../../base/common/oauth.js';
 
 @extHostNamedCustomer(MainContext.MainThreadMcp)
 export class MainThreadMcp extends Disposable implements MainThreadMcpShape {
@@ -138,7 +138,7 @@ export class MainThreadMcp extends Disposable implements MainThreadMcpShape {
 		this._servers.get(id)?.pushMessage(message);
 	}
 
-	async $getTokenFromServerMetadata(id: number, metadata: IAuthorizationServerMetadata): Promise<string | undefined> {
+	async $getTokenFromServerMetadata(id: number, metadata: IAuthorizationServerMetadata, resource: IAuthorizationProtectedResourceMetadata | undefined): Promise<string | undefined> {
 		const server = this._serverDefinitions.get(id);
 		if (!server) {
 			return undefined;
@@ -149,7 +149,7 @@ export class MainThreadMcp extends Disposable implements MainThreadMcpShape {
 		const scopesSupported = metadata.scopes_supported || [];
 		let providerId = await this._authenticationService.getOrActivateProviderIdForIssuer(issuer);
 		if (!providerId) {
-			const provider = await this._authenticationService.createDynamicAuthenticationProvider(metadata);
+			const provider = await this._authenticationService.createDynamicAuthenticationProvider(metadata, resource);
 			if (!provider) {
 				return undefined;
 			}
@@ -235,8 +235,8 @@ export class MainThreadMcp extends Disposable implements MainThreadMcpShape {
 
 	private async loginPrompt(mcpLabel: string, providerLabel: string, recreatingSession: boolean): Promise<boolean> {
 		const message = recreatingSession
-			? nls.localize('confirmRelogin', "The MCP Server '{0}' wants you to sign in again using {1}.", mcpLabel, providerLabel)
-			: nls.localize('confirmLogin', "The MCP Server '{0}' wants to sign in using {1}.", mcpLabel, providerLabel);
+			? nls.localize('confirmRelogin', "The MCP Server Definition '{0}' wants you to authenticate to {1}.", mcpLabel, providerLabel)
+			: nls.localize('confirmLogin', "The MCP Server Definition '{0}' wants to authenticate to {1}.", mcpLabel, providerLabel);
 
 		const buttons: IPromptButton<boolean | undefined>[] = [
 			{

src/vs/workbench/api/common/extHost.protocol.ts

@@ -11,7 +11,7 @@ import { IRelativePattern } from '../../../base/common/glob.js';
 import { IMarkdownString } from '../../../base/common/htmlContent.js';
 import { IJSONSchema } from '../../../base/common/jsonSchema.js';
 import { IDisposable } from '../../../base/common/lifecycle.js';
-import { IAuthorizationServerMetadata, IAuthorizationTokenResponse } from '../../../base/common/oauth.js';
+import { IAuthorizationProtectedResourceMetadata, IAuthorizationServerMetadata, IAuthorizationTokenResponse } from '../../../base/common/oauth.js';
 import * as performance from '../../../base/common/performance.js';
 import Severity from '../../../base/common/severity.js';
 import { ThemeColor, ThemeIcon } from '../../../base/common/themables.js';
@@ -1988,7 +1988,7 @@ export interface ExtHostAuthenticationShape {
 	$removeSession(id: string, sessionId: string): Promise<void>;
 	$onDidChangeAuthenticationSessions(id: string, label: string, extensionIdFilter?: string[]): Promise<void>;
 	$onDidUnregisterAuthenticationProvider(id: string): Promise<void>;
-	$registerDynamicAuthProvider(serverMetadata: IAuthorizationServerMetadata, clientId?: string, initialTokens?: (IAuthorizationTokenResponse & { created_at: number })[]): Promise<void>;
+	$registerDynamicAuthProvider(serverMetadata: IAuthorizationServerMetadata, resource?: IAuthorizationProtectedResourceMetadata, clientId?: string, initialTokens?: (IAuthorizationTokenResponse & { created_at: number })[]): Promise<string>;
 	$onDidChangeDynamicAuthProviderTokens(authProviderId: string, clientId: string, tokens?: (IAuthorizationTokenResponse & { created_at: number })[]): Promise<void>;
 }
 
@@ -3017,7 +3017,7 @@ export interface MainThreadMcpShape {
 	$onDidReceiveMessage(id: number, message: string): void;
 	$upsertMcpCollection(collection: McpCollectionDefinition.FromExtHost, servers: McpServerDefinition.Serialized[]): void;
 	$deleteMcpCollection(collectionId: string): void;
-	$getTokenFromServerMetadata(id: number, metadata: IAuthorizationServerMetadata): Promise<string | undefined>;
+	$getTokenFromServerMetadata(id: number, metadata: IAuthorizationServerMetadata, resource: IAuthorizationProtectedResourceMetadata | undefined): Promise<string | undefined>;
 }
 
 export interface ExtHostLocalizationShape {

src/vs/workbench/api/common/extHostAuthentication.ts

@@ -12,7 +12,7 @@ import { INTERNAL_AUTH_PROVIDER_PREFIX } from '../../services/authentication/com
 import { createDecorator } from '../../../platform/instantiation/common/instantiation.js';
 import { IExtHostRpcService } from './extHostRpcService.js';
 import { URI } from '../../../base/common/uri.js';
-import { fetchDynamicRegistration, getClaimsFromJWT, IAuthorizationJWTClaims, IAuthorizationServerMetadata, IAuthorizationTokenResponse, isAuthorizationTokenResponse } from '../../../base/common/oauth.js';
+import { fetchDynamicRegistration, getClaimsFromJWT, IAuthorizationJWTClaims, IAuthorizationProtectedResourceMetadata, IAuthorizationServerMetadata, IAuthorizationTokenResponse, isAuthorizationTokenResponse } from '../../../base/common/oauth.js';
 import { IExtHostWindow } from './extHostWindow.js';
 import { IExtHostInitDataService } from './extHostInitDataService.js';
 import { ILogger, ILoggerService } from '../../../platform/log/common/log.js';
@@ -161,29 +161,47 @@ export class ExtHostAuthentication implements ExtHostAuthenticationShape {
 		return Promise.resolve();
 	}
 
-	async $registerDynamicAuthProvider(serverMetadata: IAuthorizationServerMetadata, clientId?: string, initialTokens?: IAuthorizationToken[]): Promise<void> {
-		const issuerUri = URI.parse(serverMetadata.issuer);
-		const provider = await DynamicAuthProvider.create(
+	async $registerDynamicAuthProvider(
+		serverMetadata: IAuthorizationServerMetadata,
+		resourceMetadata: IAuthorizationProtectedResourceMetadata | undefined,
+		clientId: string | undefined,
+		initialTokens: IAuthorizationToken[] | undefined
+	): Promise<string> {
+		if (!clientId) {
+			if (!serverMetadata.registration_endpoint) {
+				throw new Error('Server does not support dynamic registration');
+			}
+			try {
+				const registration = await fetchDynamicRegistration(serverMetadata.registration_endpoint, this._initData.environment.appName);
+				clientId = registration.client_id;
+			} catch (err) {
+				throw new Error(`Dynamic registration failed: ${err.message}`);
+			}
+		}
+		const provider = new DynamicAuthProvider(
 			this._extHostWindow,
 			this._extHostUrls,
 			this._initData,
+			this._extHostLoggerService,
 			this._proxy,
-			this._extHostLoggerService.createLogger(serverMetadata.issuer, { name: issuerUri.authority }),
 			serverMetadata,
+			resourceMetadata,
+			clientId,
 			this._onDidDynamicAuthProviderTokensChange,
-			{ clientId, initialTokens }
+			initialTokens || []
 		);
-		const disposable = provider.onDidChangeSessions(e => this._proxy.$sendDidChangeSessions(serverMetadata.issuer, e));
+		const disposable = provider.onDidChangeSessions(e => this._proxy.$sendDidChangeSessions(provider.id, e));
 		this._authenticationProviders.set(
-			serverMetadata.issuer,
+			provider.id,
 			{
-				label: issuerUri.authority,
+				label: provider.label,
 				provider,
 				disposable: Disposable.from(provider, disposable),
 				options: { supportsMultipleAccounts: false }
 			}
 		);
-		await this._proxy.$registerDynamicAuthenticationProvider(serverMetadata.issuer, issuerUri.authority, issuerUri, provider.clientId);
+		await this._proxy.$registerDynamicAuthenticationProvider(provider.id, provider.label, provider.issuer, provider.clientId);
+		return provider.id;
 	}
 
 	async $onDidChangeDynamicAuthProviderTokens(authProviderId: string, clientId: string, tokens: IAuthorizationToken[]): Promise<void> {
@@ -207,28 +225,45 @@ class TaskSingler<T> {
 }
 
 export class DynamicAuthProvider implements vscode.AuthenticationProvider {
+	readonly id: string;
+	readonly label: string;
+	readonly issuer: URI;
+
 	private _onDidChangeSessions = new Emitter<vscode.AuthenticationProviderAuthenticationSessionsChangeEvent>();
 	readonly onDidChangeSessions = this._onDidChangeSessions.event;
 
 	private readonly _tokenStore: TokenStore;
 
 	private readonly _createFlows: Array<(scopes: string[]) => Promise<IAuthorizationTokenResponse>>;
 
+	private readonly _logger: ILogger;
 	private readonly _disposable: DisposableStore;
 
 	constructor(
 		@IExtHostWindow private readonly _extHostWindow: IExtHostWindow,
 		@IExtHostUrlsService private readonly _extHostUrls: IExtHostUrlsService,
 		@IExtHostInitDataService private readonly _initData: IExtHostInitDataService,
+		@ILoggerService loggerService: ILoggerService,
 		private readonly _proxy: MainThreadAuthenticationShape,
-		private readonly _logger: ILogger,
 		private readonly _serverMetadata: IAuthorizationServerMetadata,
+		private readonly _resourceMetadata: IAuthorizationProtectedResourceMetadata | undefined,
 		readonly clientId: string,
-		scopedEvent: Event<IAuthorizationToken[]>,
+		onDidDynamicAuthProviderTokensChange: Emitter<{ authProviderId: string; clientId: string; tokens: IAuthorizationToken[] }>,
 		initialTokens: IAuthorizationToken[],
 	) {
+		this.issuer = URI.parse(_serverMetadata.issuer);
+		this.id = _resourceMetadata?.resource
+			? _serverMetadata.issuer + ' ' + _resourceMetadata?.resource
+			: _serverMetadata.issuer;
+		this.label = _resourceMetadata?.resource_name ?? this.issuer.authority;
+
+		this._logger = loggerService.createLogger(_serverMetadata.issuer, { name: this.label });
 		this._disposable = new DisposableStore();
 		this._disposable.add(this._onDidChangeSessions);
+		const scopedEvent = Event.chain(onDidDynamicAuthProviderTokensChange.event, $ => $
+			.filter(e => e.authProviderId === this.id && e.clientId === clientId)
+			.map(e => e.tokens)
+		);
 		this._tokenStore = this._disposable.add(new TokenStore(
 			{
 				onDidChange: scopedEvent,
@@ -242,46 +277,6 @@ export class DynamicAuthProvider implements vscode.AuthenticationProvider {
 		this._createFlows = [scopes => this._createWithUrlHandler(scopes)];
 	}
 
-	static async create(
-		@IExtHostWindow extHostWindow: IExtHostWindow,
-		@IExtHostUrlsService extHostUrls: IExtHostUrlsService,
-		@IExtHostInitDataService initData: IExtHostInitDataService,
-		proxy: MainThreadAuthenticationShape,
-		logger: ILogger,
-		serverMetadata: IAuthorizationServerMetadata,
-		onDidDynamicAuthProviderTokensChange: Emitter<{ authProviderId: string; clientId: string; tokens: IAuthorizationToken[] }>,
-		existingState: { clientId?: string; initialTokens?: IAuthorizationToken[] } = {},
-	): Promise<DynamicAuthProvider> {
-		let { clientId, initialTokens } = existingState;
-		try {
-			if (!clientId) {
-				if (!serverMetadata.registration_endpoint) {
-					throw new Error('Server does not support dynamic registration');
-				}
-				const registration = await fetchDynamicRegistration(serverMetadata.registration_endpoint, initData.environment.appName);
-				clientId = registration.client_id;
-			}
-			const scopedEvent = Event.chain(onDidDynamicAuthProviderTokensChange.event, $ => $
-				.filter(e => e.authProviderId === serverMetadata.issuer && e.clientId === clientId)
-				.map(e => e.tokens)
-			);
-			const provider = new DynamicAuthProvider(
-				extHostWindow,
-				extHostUrls,
-				initData,
-				proxy,
-				logger,
-				serverMetadata,
-				clientId,
-				scopedEvent,
-				initialTokens || []
-			);
-			return provider;
-		} catch (err) {
-			throw new Error(`Dynamic registration failed: ${err.message}`);
-		}
-	}
-
 	async getSessions(scopes: readonly string[] | undefined, _options: vscode.AuthenticationProviderSessionOptions): Promise<vscode.AuthenticationSession[]> {
 		this._logger.info(`Getting sessions for scopes: ${scopes?.join(' ') ?? 'all'}`);
 		if (!scopes) {
@@ -399,6 +394,10 @@ export class DynamicAuthProvider implements vscode.AuthenticationProvider {
 		authorizationUrl.searchParams.append('state', state.toString());
 		authorizationUrl.searchParams.append('code_challenge', codeChallenge);
 		authorizationUrl.searchParams.append('code_challenge_method', 'S256');
+		if (this._resourceMetadata?.resource) {
+			// If a resource is specified, include it in the request
+			authorizationUrl.searchParams.append('resource', this._resourceMetadata.resource);
+		}
 
 		// Use a redirect URI that matches what was registered during dynamic registration
 		const redirectUri = 'https://vscode.dev/redirect';

src/vs/workbench/api/common/extHostMcp.ts

@@ -184,7 +184,10 @@ class McpHTTPHandle extends Disposable {
 	private _mode: HttpModeT = { value: HttpMode.Unknown };
 	private readonly _cts = new CancellationTokenSource();
 	private readonly _abortCtrl = new AbortController();
-	private _authMetadata?: IAuthorizationServerMetadata;
+	private _authMetadata?: {
+		server: IAuthorizationServerMetadata;
+		resource?: IAuthorizationProtectedResourceMetadata;
+	};
 
 	constructor(
 		private readonly _id: number,
@@ -316,12 +319,14 @@ class McpHTTPHandle extends Disposable {
 		// Second, fetch that url's well-known server metadata
 		let serverMetadataUrl: string | undefined;
 		let scopesSupported: string[] | undefined;
+		let resource: IAuthorizationProtectedResourceMetadata | undefined;
 		if (resourceMetadataChallenge) {
 			const resourceMetadata = await this._getResourceMetadata(resourceMetadataChallenge);
 			// TODO:@TylerLeonhardt support multiple authorization servers
 			// Consider using one that has an auth provider first, over the dynamic flow
 			serverMetadataUrl = resourceMetadata.authorization_servers?.[0];
 			scopesSupported = resourceMetadata.scopes_supported;
+			resource = resourceMetadata;
 		}
 
 		const baseUrl = new URL(originalResponse.url).origin;
@@ -340,14 +345,17 @@ class McpHTTPHandle extends Disposable {
 			const serverMetadataResponse = await this._getAuthorizationServerMetadata(serverMetadataUrl, addtionalHeaders);
 			const serverMetadataWithDefaults = getMetadataWithDefaultValues(serverMetadataResponse);
 			this._authMetadata = {
-				...serverMetadataWithDefaults,
-				// HACK: For now, just use the serverMetadataUrl as the issuer. I found an example, Entra,
-				// that uses a placeholder for the tenant... https://login.microsoftonline.com/{tenant}/v2.0
-				// literally... it contains `{tenant}`... instead of `organizations`. This may change our
-				// API a bit to instead pass in these other endpoints, but for now, just user the serverMetadataUrl
-				// as the isser.
-				issuer: serverMetadataUrl,
-				scopes_supported: scopesSupported ?? serverMetadataWithDefaults.scopes_supported
+				server: {
+					...serverMetadataWithDefaults,
+					// HACK: For now, just use the serverMetadataUrl as the issuer. I found an example, Entra,
+					// that uses a placeholder for the tenant... https://login.microsoftonline.com/{tenant}/v2.0
+					// literally... it contains `{tenant}`... instead of `organizations`. This may change our
+					// API a bit to instead pass in these other endpoints, but for now, just user the serverMetadataUrl
+					// as the isser.
+					issuer: serverMetadataUrl,
+					scopes_supported: scopesSupported ?? serverMetadataWithDefaults.scopes_supported
+				},
+				resource
 			};
 			return;
 		} catch (e) {
@@ -357,7 +365,10 @@ class McpHTTPHandle extends Disposable {
 		// If there's no well-known server metadata, then use the default values based off of the url.
 		const defaultMetadata = getDefaultMetadataForUrl(new URL(baseUrl));
 		defaultMetadata.scopes_supported = scopesSupported ?? defaultMetadata.scopes_supported ?? [];
-		this._authMetadata = defaultMetadata;
+		this._authMetadata = {
+			server: defaultMetadata,
+			resource
+		};
 	}
 
 	private async _getResourceMetadata(resourceMetadata: string): Promise<IAuthorizationProtectedResourceMetadata> {
@@ -628,7 +639,7 @@ class McpHTTPHandle extends Disposable {
 	private async _addAuthHeader(headers: Record<string, string>) {
 		if (this._authMetadata) {
 			try {
-				const token = await this._proxy.$getTokenFromServerMetadata(this._id, this._authMetadata);
+				const token = await this._proxy.$getTokenFromServerMetadata(this._id, this._authMetadata.server, this._authMetadata.resource);
 				if (token) {
 					headers['Authorization'] = `Bearer ${token}`;
 				}

src/vs/workbench/services/authentication/browser/authenticationService.ts

@@ -20,7 +20,7 @@ import { IJSONSchema } from '../../../../base/common/jsonSchema.js';
 import { ExtensionsRegistry } from '../../extensions/common/extensionsRegistry.js';
 import { match } from '../../../../base/common/glob.js';
 import { URI } from '../../../../base/common/uri.js';
-import { IAuthorizationServerMetadata } from '../../../../base/common/oauth.js';
+import { IAuthorizationProtectedResourceMetadata, IAuthorizationServerMetadata } from '../../../../base/common/oauth.js';
 
 export function getAuthenticationProviderActivationEvent(id: string): string { return `onAuthenticationRequest:${id}`; }
 
@@ -316,14 +316,13 @@ export class AuthenticationService extends Disposable implements IAuthentication
 		return undefined;
 	}
 
-	async createDynamicAuthenticationProvider(serverMetadata: IAuthorizationServerMetadata): Promise<IAuthenticationProvider | undefined> {
+	async createDynamicAuthenticationProvider(serverMetadata: IAuthorizationServerMetadata, resource: IAuthorizationProtectedResourceMetadata | undefined): Promise<IAuthenticationProvider | undefined> {
 		const delegate = this._delegates[0];
 		if (!delegate) {
 			this._logService.error('No authentication provider host delegate found');
 			return undefined;
 		}
-		await delegate.create(serverMetadata);
-		const providerId = serverMetadata.issuer;
+		const providerId = await delegate.create(serverMetadata, resource);
 		const provider = this._authenticationProviders.get(providerId);
 		if (provider) {
 			this._logService.debug(`Created dynamic authentication provider: ${providerId}`);