Skip to content

DN-3783 feat: add SURFconext authentication support#1

Open
annesnour03 wants to merge 4 commits into
mainfrom
feature/DN-3783
Open

DN-3783 feat: add SURFconext authentication support#1
annesnour03 wants to merge 4 commits into
mainfrom
feature/DN-3783

Conversation

@annesnour03

Copy link
Copy Markdown

This is my approach to OIDC authentication.
On launch, the extension:

  • Signs in using OIDC authorization code flow with PKCE.
  • Receives the callback on http://localhost:3000/callback (normally you have vscode:// thing, but I couldn't register that as a redirect in the sp dashboard).
  • Stores tokens using VS Code SecretStorage.
  • Retrieves the user’s display name through UserInfo.
  • Sends the access token to the Workflow API as a bearer token.
  • Retries once after a 401.

Users can clear their local session through the VS Code Accounts menu.

I first had refresh tokens implemented, but I realized that SURF doesn't grant them, I think we have to ask them to enable it for our client id (https://servicedesk.surf.nl/wiki/spaces/IAM/pages/128910087/Refresh%2BTokens%2B-%2BWhat%2Bare%2Bthey%2Band%2Bwhen%2Bto%2Buse%2Bthem). So I've just removed that part for now.

@annesnour03 annesnour03 requested a review from goomens July 1, 2026 10:35
goomens
goomens previously approved these changes Jul 2, 2026
Comment thread src/auth/OidcClient.ts Outdated
import * as oidc from 'openid-client';
import { logger } from '../logger.js';

export const SURFCONEXT_AUTHORITY = new URL('https://connect.test.surfconext.nl/');

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these be part of the extension config (with these defaults)?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've now added something into the package.json for this

Comment thread src/WorkflowDebugSession.ts Outdated
logger.warn(`Workflow launch stopped because the API returned HTTP ${response.status}.`);
this.sendErrorResponse(launchResponse, {
id: response.status,
format: `Workflow API rejected the upload (${response.status}).`

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should still include the error returned by the backend because this should contain a sensible error message that tells the user if they've messed up something

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea, I'll add that in.

@goomens goomens changed the title feat: add SURFconext authentication support DN-3783 feat: add SURFconext authentication support Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants