Skip to content

Fix OAuth2 resource parameter compliance with RFC 8707 #261815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
TylerLeonhardt merged 2 commits into from
Aug 28, 2025
Merged

Fix OAuth2 resource parameter compliance with RFC 8707 #261815

TylerLeonhardt merged 2 commits into from
Aug 28, 2025

Conversation

@bluedog13
Copy link
Contributor

@bluedog13 bluedog13 commented Aug 15, 2025

Summary

This PR fixes VS Code's OAuth2 flow to comply with RFC 8707 by including the resource parameter in token exchange requests.

Problem

The current implementation includes the resource indicator in the authorization request but omits it from both the authorization code and refresh token exchange requests. This violates RFC 8707 and can cause token validation failures on protected resources that require the resource parameter to be consistently present throughout the OAuth2 flow.

Solution

Added the resource parameter to both token exchange methods in the DynamicAuthProvider class:

  • exchangeCodeForToken() - now includes resource parameter when exchanging authorization code for tokens
  • exchangeRefreshTokenForToken() - now includes resource parameter when refreshing tokens

The fix ensures that when _resourceMetadata?.resource is available, it is consistently included in all OAuth2 requests throughout the authentication flow.

Test Plan

Fixes #261364
@gautam-goudar
Fix OAuth2 resource parameter compliance with RFC 8707
80c2dec 
Include resource parameter in token exchange requests for OAuth2 flow to comply with RFC 8707.
The resource indicator was previously only included in the authorization request but missing
from both the authorization code and refresh token exchange requests.

This fix ensures that when a resource is specified in the metadata, it is consistently
included in all OAuth2 requests:
- Authorization request (already implemented)
- Authorization code for token exchange (now fixed)
- Refresh token exchange (now fixed)

Fixes microsoft#261364
@bluedog13 bluedog13 mentioned this pull request Aug 15, 2025
Closed
@TylerLeonhardt TylerLeonhardt self-assigned this Aug 15, 2025
TylerLeonhardt
TylerLeonhardt approved these changes Aug 28, 2025
View reviewed changes
Copy link
Member

@TylerLeonhardt TylerLeonhardt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM. We also need to do this here https://github.com/bluedog13/vscode/blob/80c2dec96d860b41e7001a86b93203dafe9eeedb/src/vs/workbench/api/node/extHostAuthentication.ts#L250-L258

but that can be a separate PR since it would be an addition
@vs-code-engineering vs-code-engineering bot added this to the August 2025 milestone Aug 28, 2025
@TylerLeonhardt TylerLeonhardt enabled auto-merge (squash) August 28, 2025 20:23
auto-merge was automatically disabled August 28, 2025 20:28

Pull request was closed

@TylerLeonhardt TylerLeonhardt enabled auto-merge (squash) August 28, 2025 20:29
auto-merge was automatically disabled August 28, 2025 21:05

Pull request was closed

@TylerLeonhardt TylerLeonhardt enabled auto-merge (squash) August 28, 2025 21:19
@TylerLeonhardt TylerLeonhardt merged commit d807235 into microsoft:main Aug 28, 2025
32 checks passed
@vs-code-engineering vs-code-engineering bot locked and limited conversation to collaborators Oct 13, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

4 participants

@bluedog13 @Tyriar @TylerLeonhardt @gautam-goudar