[WIP] Add AuthenticationProvider implementing OAuth2 code flow #256
Conversation
This is an early implementation of the VS Code Authentication Provider API which is able to open regular sessions in the openHAB instance by authorizing itself with the OAuth2 flow, similarly to the main UI. When an API request fails, a "Sign in" button is offered to perform the initial authorization flow (opening a browser to allow the user to sign in and open a session), the refresh token is then stored in the keychain (secrets in the extension context), and reused to get additional access tokens to access the API on behalf of the user. It doesn't support yet: - PKCE challenges - Normal access token management, for instance refreshing it automatically before it expires (after 1 hour) - Signing out (!) Signed-off-by: Yannick Schaus <github@schaus.net>
Signed-off-by: Yannick Schaus <github@schaus.net>
Signed-off-by: Yannick Schaus <github@schaus.net>
Signed-off-by: Yannick Schaus <github@schaus.net>
|
Example: Native dialog from VS Code:
The sign in page is opened in a browser tab:
When clicking sign in the browser may ask if VS Code should open the link:
The extension catches the callback, gets the authorization code from it, and exchanges it for a refresh token and access token:
The protected API calls now work, no manual token creation necessary:
The client ID & refresh token are stored as secrets and they can be retrieved later, so no need to repeat this procedure afterwards. The VS Code sessions appear in the user's profile page in main UI and can be revoked from there:
|
Signed-off-by: Yannick Schaus <github@schaus.net>
|
Ah nice. This was on my todo list after the 1.0.0 release too. 🙂 |
Maybe we could tweak this to be opened in a vscode WebView too. https://community.openhab.org/t/docs-in-vscode-anyone-interested/119774?u=confectrician |
|
Why not, provided the webviews can catch fyi this code has a lot of code borrowed from the built-in GitHub login. Maybe it would make sense to have an approach as similar as possible to the built-in authenticators. |
This is an early implementation of the VS Code Authentication
Provider API which is able to open regular sessions in the
openHAB instance by authorizing itself with the OAuth2 flow,
similarly to the main UI.
When an API request fails, a "Sign in" button is offered to
perform the initial authorization flow (opening a browser to
allow the user to sign in and open a session), the refresh
token is then stored in the secrets storage (new secrets API),
and reused to get additional access tokens to access the API
on behalf of the user.
It doesn't support yet:
automatically before it expires (after 1 hour)
Signed-off-by: Yannick Schaus github@schaus.net