Add OAuth 2.1 authentication support (#693)

Implements OAuth 2.1 with PKCE as an alternative authentication method to session tokens, providing a more secure and user-friendly login experience.

Authentication Options:
- When connecting to an OAuth-enabled Coder deployment, users can choose between:
  - OAuth (Recommended): Secure login with automatic token refresh
  - Session Token (Legacy): Manual token generation and paste
- OAuth is automatically detected via the ".well-known/oauth-authorization-server" endpoint

Token Lifecycle:
- Tokens refresh automatically in the background before expiration
- No manual re-authentication needed during normal usage
- When OAuth sessions become invalid (revoked, expired refresh token), users see a clear re-authentication prompt
- Works across multiple VS Code windows - tokens stay synchronized

OAuth Callback Handling:
- New /oauth/callback URI handler for authorization responses
- Cross-window callback support: if the OAuth callback arrives in a different VS Code window, it's properly routed back

Implementation Details:
- OAuth modules (src/oauth/): `OAuthAuthorizer` (authorization flow + PKCE), `OAuthSessionManager` (token refresh + revocation), `OAuthMetadataClient` (server discovery + validation), typed error handling
- Auth interceptor (`src/api/authInterceptor.ts`): Unified 401 handling - automatic refresh for OAuth, interactive re-auth for tokens
- SecretsManager: Stores OAuth tokens and client registrations per-deployment with Zod validation; cross-window sync via SecretStorage events
- Scopes: [workspace:{read,update,start,ssh,application_connect}, template:read, user:read_personal]

Closes #586

Author: EhabY

package.json

@@ -437,7 +437,7 @@
 		"@vscode/test-electron": "^2.5.2",
 		"@vscode/vsce": "^3.7.1",
 		"bufferutil": "^4.1.0",
-		"coder": "https://github.com/coder/coder#main",
+		"coder": "github:coder/coder#main",
 		"dayjs": "^1.11.19",
 		"electron": "^39.2.7",
 		"esbuild": "^0.27.2",

pnpm-lock.yaml

@@ -0,0 +1,123 @@
+import { type AxiosError, isAxiosError } from "axios";
+
+import { toSafeHost } from "../util";
+
+import type * as vscode from "vscode";
+
+import type { SecretsManager } from "../core/secretsManager";
+import type { Logger } from "../logging/logger";
+import type { RequestConfigWithMeta } from "../logging/types";
+import type { OAuthSessionManager } from "../oauth/sessionManager";
+
+import type { CoderApi } from "./coderApi";
+
+const coderSessionTokenHeader = "Coder-Session-Token";
+
+/**
+ * Callback invoked when authentication is required.
+ * Returns true if user successfully re-authenticated.
+ */
+export type AuthRequiredHandler = (hostname: string) => Promise<boolean>;
+
+/**
+ * Intercepts 401 responses and handles re-authentication.
+ *
+ * Always attached to the axios instance. Handles both OAuth (automatic refresh)
+ * and non-OAuth (interactive re-auth via callback) authentication failures.
+ */
+export class AuthInterceptor implements vscode.Disposable {
+	private readonly interceptorId: number;
+
+	constructor(
+		private readonly client: CoderApi,
+		private readonly logger: Logger,
+		private readonly oauthSessionManager: OAuthSessionManager,
+		private readonly secretsManager: SecretsManager,
+		private readonly onAuthRequired?: AuthRequiredHandler,
+	) {
+		this.interceptorId = this.client
+			.getAxiosInstance()
+			.interceptors.response.use(
+				(r) => r,
+				(error: unknown) => this.handleError(error),
+			);
+		this.logger.debug("Auth interceptor attached");
+	}
+
+	private async handleError(error: unknown): Promise<unknown> {
+		if (!isAxiosError(error)) {
+			throw error;
+		}
+
+		if (error.config) {
+			const config = error.config as { _retryAttempted?: boolean };
+			if (config._retryAttempted) {
+				throw error;
+			}
+		}
+
+		if (error.response?.status !== 401) {
+			throw error;
+		}
+
+		const baseUrl = this.client.getHost();
+		if (!baseUrl) {
+			throw error;
+		}
+		const hostname = toSafeHost(baseUrl);
+
+		return this.handle401Error(error, hostname);
+	}
+
+	private async handle401Error(
+		error: AxiosError,
+		hostname: string,
+	): Promise<unknown> {
+		this.logger.debug("Received 401 response, attempting recovery");
+
+		if (await this.oauthSessionManager.isLoggedInWithOAuth(hostname)) {
+			try {
+				const newTokens = await this.oauthSessionManager.refreshToken();
+				this.client.setSessionToken(newTokens.access_token);
+				this.logger.debug("Token refresh successful, retrying request");
+				return this.retryRequest(error, newTokens.access_token);
+			} catch (refreshError) {
+				this.logger.error("OAuth refresh failed:", refreshError);
+			}
+		}
+
+		if (this.onAuthRequired) {
+			this.logger.debug("Triggering interactive re-authentication");
+			const success = await this.onAuthRequired(hostname);
+			if (success) {
+				const auth = await this.secretsManager.getSessionAuth(hostname);
+				if (auth) {
+					this.logger.debug("Re-authentication successful, retrying request");
+					return this.retryRequest(error, auth.token);
+				}
+			}
+		}
+
+		throw error;
+	}
+
+	private retryRequest(error: AxiosError, token: string): Promise<unknown> {
+		if (!error.config) {
+			throw error;
+		}
+
+		const config = error.config as RequestConfigWithMeta & {
+			_retryAttempted?: boolean;
+		};
+		config._retryAttempted = true;
+		config.headers[coderSessionTokenHeader] = token;
+		return this.client.getAxiosInstance().request(config);
+	}
+
+	public dispose(): void {
+		this.client
+			.getAxiosInstance()
+			.interceptors.response.eject(this.interceptorId);
+		this.logger.debug("Auth interceptor detached");
+	}
+}

src/api/authInterceptor.ts

@@ -48,6 +48,7 @@ export class ServiceContainer implements vscode.Disposable {
 			this.mementoManager,
 			this.vscodeProposed,
 			this.logger,
+			context.extension.id,
 		);
 	}
 
@@ -89,5 +90,6 @@ export class ServiceContainer implements vscode.Disposable {
 	dispose(): void {
 		this.contextManager.dispose();
 		this.logger.dispose();
+		this.loginCoordinator.dispose();
 	}
 }