Authentication Provider based on cross-origin-channel

Enrique Alcántararequested to merge
ealcantara/420-message-channel-based-oauth into main

Issue: Adapt OAuth2 client to work when Web IDE is hos... (#420 - closed)

What does this MR do and why?

This merge request introduces changes to support a dedicated Web IDE origin by ensuring that OAuth authentication securely works across origins. It adds a new authentication provider that uses a cross-origin communication channel, allowing the Web IDE to securely communicate with its parent window. The new authentication provider is behind dedicatedWebIDEOrigin feature flag which is enabled by default on the Web IDE's test server. There are two main classes introduced in this MR:

  • PortChannelAuthProvider implements the AuthenticationProvider interface that is used by the GitLab's API client to obtain access tokens to authenticate API requests. This class obtains an access token by sending a message via a PortChannel object to request access tokens to the GitLab instance's origin. It also listens for access-token-changed messages to notify when an OAuth access token expires.
  • AuthPortChannelController handles the access token requests sent by PortChannelAuthProvider. It depends on the OAuthClient class to obtain access tokens and detect when the access token changes.

image.png

Other changes

This MR also moves the cleanWebIDEExtensions module to the vscode-bootstrap package in preparation for using multiple origins. Once the Web IDE uses a separate origin for the VSCode's workbench, VSCode's indexedDB database won't be accessible from the GitLab's instance origin.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

This MR doesn't introduce visual changes.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Run the Web IDE test server yarn start:example.
  2. Make sure all the Web IDE's functionality is working as usual.
  3. Keep the Web IDE's browser tab open for 1 hour without interacting with it.
  4. Repeat step 2. This will ensure that the refresh mechanism for OAuth access tokens still works.
Edited by Enrique Alcántara

Merge request reports