Discussion: Streamlined GitHub authentication #93
Comments
|
Oof, ok, that was a bit of a brain dump. I have a local patch to add support for the webflow with the localhost approach, as a rough draft to see how that would work. I'll push that for discussion soon (probably monday 'cause haha it's late here). |
|
@shana We support custom protocol handlers for VS Code extensions, so you could register a custom handler in the extension for the authentication url callback. See https://code.visualstudio.com/updates/v1_23#_protocol-handler-api. To me 1) sounds like the easiest scenario to get going. |
|
@auchenberg Oh that's handy, I'll look into it, thanks! |
|
Closing this issue, as we have landed the first version auth. We'll resume the conversation if auth needs tweaks. |
|
ProTip: If you have multiple github.com accounts, you can use this little button in the bottom left to control which accounts/extensions are connected: |
Under what key? Or is this not even an option anymore? |
|
ITs a complete disgrace that setting the personal token is so hard to work out!!!! Why dont you have this in the documentation????????? Pycharm makes it easy, so it is very hard to swap to VS Code, when you make it so hard!!! Why?????? Your docs point to this page, which does not even describe what to do. Why??????????? |
|
Why?????????? Lol
…On Mon, Apr 29, 2024 at 10:54 PM brettforbes ***@***.***> wrote:
ITs a complete disgrace that setting the personal token is so hard to work
out!!!! Why dont you have this in the documentation?????????
Pycharm makes it easy, so it is very hard to swap to VS Code, when you
make it so hard!!! Why??????
Your docs point to this page, which does not even describe what to do.
Why???????????
https://code.visualstudio.com/docs/sourcecontrol/github
—
Reply to this email directly, view it on GitHub
<#93 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEDZKG3OMO7AUFCZH6Y6VDY74IXXAVCNFSM4FJ5OLHKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBYGQZTEOBSHAYA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
@devinrhode2 I am currently using PyCharn, which makes it easy to copy and paste in my PAT, every time. It will prompt me if my github token has expired, and generally makes it trivial to contribute key pieces, and have the comp sci people sort it out. I am sure you are a complete guru on the comp sci, so it must be perplexing as to why I got frustrated. I seriously do not want to spend the time working out how to go to another environment, and remember yet another syntax. Like why should I? I like VS Code, it is well-written software, but i don't switch to it mostly because of this small thing, strange as it may seem. My comment was injected when i was trying to use it on a tight deadline, and I wasted some time trying to sort it out, so I had to renew a year's subscription of PyCharm. Mind you it is better at handling large JSON's and it is visually more appealing |
and others
Goal
To streamline authentication for users connecting to GitHub or GitHub Enterprise for the purposes of using a GitHub application. Ideally, the user doesn't have to anything beyond logging into their account and authorizing access to an application (without copy pasting tokens).
Authentication tokens and scopes:
GitHub APIs almost always require a token to access them. Some don't (because the data is public for eg.), but anonymous calls are severely rate limited, so any app using the API for public data will need a token at some point
The API has a granular permission system, and a token will have scopes attached to it, so that only those endpoints or actions that the scopes allow will be usable.
reposcopeuser,discussion,gist, etc, depending on what they're doing.There are three ways to obtain a token:
The user creates a personal access token in their settings page and select the scopes.
The application obtains a token on behalf of the user by doing the oauth2 web authentication flow - opening a browser to the server that will show the requested permissions for the user to authorize, and returning the token to the app
The application obtains a token on behalf of the user by asking the user for their username and password, their 2FA code, and calling the GitHub OAuth rest API endpoint with this information, along with the desired scopes, and obtaining a token in return.
The oauth webflow for applications
While the OAUTH Rest API is usable by any desktop app, the webflow is more complicated. The web flow requires that GitHub redirect the user to a known URI at the end of the authentication - this request includes the token in the body. For desktop applications, this is a bit tricky to pull off.
There are strategies around this:
Desktop applications that have their own installers can install a protocol handler on the system, and configure the redirect URI to be a particular protocol (like desktop:// or something://).
The application can listen on a known port on localhost, and the callback URI is configured to http(s)://localhost:PORT.
localhostaddress (i.e. no one can sniff the data). That means we can use http, and listening on ports above a certain range does not require admin permissionsThe callback URI is configured to go to a separate webservice/webapp (running on heroku for eg.). The local application opens a websocket to the webservice to prepare it for handling the authentication, and the webservice handles all the redirects for the webflow. Once the webservice receives the token, it sends it back to the local application via the websocket
What the extension does today
Right now, the extension requires the user to create a token manually and store it in the settings file. If there isn't a token in the settings, it will try to use whatever is available to Git via the credential helper - which is brittle, given that that token might not have enough permissions.
/cc @RMacfarlane @sguthals @daviwil
The text was updated successfully, but these errors were encountered: