Fix OAuth redirect URI format to align with Microsoft's URL standards #260446
+9
−9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change adds a trailing slash to the redirect URI returned by the loopbackServer's redirectUri getter to match the expected format for OAuth client registration. The issue occurs because Microsoft Entra ID automatically appends a trailing slash to redirect URIs without a path segment, but VS Code was returning URLs without the trailing slash, causing validation failures during OAuth authentication. Fixes microsoft#260425
| if (this._port === undefined) { | ||
| throw new Error('Server is not started yet'); | ||
| } | ||
| return `http://127.0.0.1:${this._port}`; |
Member
There was a problem hiding this comment.
Why did you only update this and not the redirect uris?
vscode/src/vs/base/common/oauth.ts
Lines 739 to 747 in a9c4b92
Contributor
Author
There was a problem hiding this comment.
The above file has not been updated in a while.
The June 29th PR that modified loopbackServer.ts, removed the trailing slash, introducing this standards compliance issue.
Contributor
Author
There was a problem hiding this comment.
This change may have affected it
a62ed27
Let me update this PR.
Contributor
Author
There was a problem hiding this comment.
Have updated the PR with changes to src/vs/base/common/oauth.ts
Complements the loopbackServer.ts fix by ensuring redirect URIs used in OAuth dynamic client registration also include trailing slashes for complete standards compliance with Microsoft's OAuth 2.0 URL format. Updated redirect URIs: - http://localhost -> http://localhost/ - http://127.0.0.1 -> http://127.0.0.1/ - http://localhost:{port} -> http://localhost:{port}/ - http://127.0.0.1:{port} -> http://127.0.0.1:{port}/
bluedog13
changed the title
TylerLeonhardt
previously approved these changes
Aug 8, 2025
Member
TylerLeonhardt
left a comment
TylerLeonhardt
left a comment
There was a problem hiding this comment.
LGTM, just need you to agree to the contributor agreement and we can get this in!
Contributor
Author
|
@microsoft-github-policy-service agree |
Tyriar
previously approved these changes
Aug 8, 2025
Member
|
Tests failing: |
Contributor
Author
|
Do you want me to open a different PR to fix the tests or update the current one itself? |
Member
|
@bluedog13 can you update the current one please |
The fetchDynamicRegistration function correctly includes trailing slashes on redirect URIs per the implementation. This updates the test expectations to match the actual behavior, fixing the test failure. The implementation in oauth.ts includes trailing slashes on localhost URIs: - 'http://localhost/' (with trailing slash) - 'http://127.0.0.1/' (with trailing slash) - 'http://localhost:/' (with trailing slash) - 'http://127.0.0.1:/' (with trailing slash) This test was expecting URIs without trailing slashes, causing the assertion to fail. The fix aligns the test with the correct implementation behavior.
Contributor
Author
|
The tests have been updated. |
TylerLeonhardt
approved these changes
Aug 8, 2025
Tyriar
approved these changes
Aug 8, 2025
Member
|
Thanks for contributing @bluedog13! |
Contributor
Author
|
Thank you for accepting the PR. @TylerLeonhardt |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OAuth Redirect URI Format Not Aligned with Microsoft's URL Standards
Problem
VS Code's OAuth implementation generates redirect URIs without trailing slashes, while Microsoft's own OAuth 2.0 documentation and standards-compliant identity providers (including Entra ID) require trailing slashes in redirect URIs per RFC specifications.
This creates a mismatch where:
http://127.0.0.1:3000http://127.0.0.1:3000/Root Cause
Microsoft Entra ID (and other compliant IDPs) automatically append trailing slashes to redirect URIs during OAuth flows, following Microsoft's documented standards. However, VS Code's implementation returns URLs without trailing slashes, causing URI mismatch validation failures.
Recent Change Context
A June 29th PR that modified
loopbackServer.tsremoved the trailing slash, introducing this standards compliance issue. This change made VS Code generate non-compliant redirect URIs that don't align with Microsoft's own OAuth 2.0 format requirements.Solution
This PR restores trailing slashes in two key locations:
loopbackServer.ts(line 105): Runtime redirect URI generationoauth.ts(lines 739-746): Dynamic client registration redirect URIsChanges:
http://127.0.0.1:${port}→http://127.0.0.1:${port}/http://localhost→http://localhost/http://127.0.0.1→http://127.0.0.1/http://localhost:${port}→http://localhost:${port}/Impact
Standards Reference
This change ensures VS Code follows Microsoft's own OAuth 2.0 redirect URI format requirements, improving compatibility with standards-compliant identity providers.
Fixes #260425