Does this issue occur when all extensions are disabled?: Yes/No
- VS Code Version: 1.116.0 (used in the latest code-server)
- OS Version: Browser (Chrome/Edge/Safari) running
code-server in a Linux Container.
Environment Note: This issue is specific to VS Code for the Web (code-server). The regex is strictly applied to the incoming URI.
Steps to Reproduce (Web Specific):
- Launch
code-server or VS Code for the Web.
- Trigger an OAuth flow that uses LocalStorageURLCallbackProvider (in my case a custom MCP server as OAuth 2.1 client).
- Identity provider (Cognito) redirects to
https://<your-domain>/callback?code=xxx&state=yyy.
- Just after a successful redirect to callback url, the following error message appears in Output tab: 'Authentication failed: No authorization code received'
Technical Specifics for the Report
In the web version, after successful redirect the callback html script writes authorization 'code' (and other parameter) to the localStorage. The Workbench (Main Thread) receives the 'LocalStorageURLCallback' and it fires an event with the localStorage item to the Extension Host Process running in backend api/node.
The bug exists in the code that receives this message inside the 'Extension Host Process'. In this repo the source code is present here:
file: /src/vs/workbench/api/common/extHostAuthentication.ts
function: private async waitForAuthorizationCode(expectedState: URI): Promise<{ code: string }>
line code: const codeMatch = /[?&]code=([^&]+)/.exec(result.query || '');
The above code has restrictive regular expression, and if the query string has code as the first parameter then it ignores it, since it does not find leading & or ? character.
My temporary fix
I was able to fix this locally in my code-server Docker container by patching the compiled output:
FROM codercom/code-server:latest
USER root
RUN sed -i 's/\[?&\]code=/\[?\&\]\?code=/g' \
/usr/lib/code-server/lib/vscode/out/vs/workbench/api/worker/extensionHostWorkerMain.js
RUN sed -i 's/\[?&\]code=/\[?\&\]\?code=/g' \
/usr/lib/code-server/lib/vscode/out/vs/workbench/api/node/extensionHostProcess.jsJust made the leading character optional.
Does this issue occur when all extensions are disabled?: Yes/No
code-serverin a Linux Container.Environment Note: This issue is specific to VS Code for the Web (code-server). The regex is strictly applied to the incoming URI.
Steps to Reproduce (Web Specific):
code-serveror VS Code for the Web.https://<your-domain>/callback?code=xxx&state=yyy.Technical Specifics for the Report
In the web version, after successful redirect the callback html script writes authorization 'code' (and other parameter) to the localStorage. The Workbench (Main Thread) receives the 'LocalStorageURLCallback' and it fires an event with the localStorage item to the Extension Host Process running in backend api/node.
The bug exists in the code that receives this message inside the 'Extension Host Process'. In this repo the source code is present here:
file:
/src/vs/workbench/api/common/extHostAuthentication.tsfunction:
private async waitForAuthorizationCode(expectedState: URI): Promise<{ code: string }>line code:
const codeMatch = /[?&]code=([^&]+)/.exec(result.query || '');The above code has restrictive regular expression, and if the
querystring hascodeas the first parameter then it ignores it, since it does not find leading&or?character.My temporary fix
I was able to fix this locally in my
code-serverDocker container by patching the compiled output:Just made the leading character optional.