vscode: Microsoft Authentication Provider fails to authenticate in sovereign aka national/gov clouds e.g. Mooncake, DoD

Does this issue occur when all extensions are disabled?: Yes/No

VS Code Version: Version: 1.71.2
OS Version: Windows 11 Enterprise, Version: 21H2, OS Build: 22000.978

Steps to Reproduce:

Open PowerPages Studio (https://make.powerpages.microsoft.cn/)
Login with correct credentials of a user in Mooncake
Launch VSCode for web
Notice the authentication popup (the AzureAD endpoint is https://login.microsoftonline.com/ it should have been https://login.partner.microsoftonline.cn/)
Since the AzureAD endpoint is incorrect it is not able to find the user.

MicrosoftTeams-image (5)

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 2
Comments: 28 (21 by maintainers)

Most upvoted comments

@bwateratmsft yes I want that for this as well: https://github.com/microsoft/vscode/issues/115626 and have a similar proposal there

TylerLeonhardt on Feb 16, 2023

@stgarf-sx LiveShare has to intentionally make a change to support sovereign clouds so I doubt you are leveraging this change. (Telemetry says that no one is yet)

So when you initiate a sign in, login.microsoftonline.com opens, right? And do you but your Sovereign Cloud email in there? I’m still wondering how you’re getting this error through the normal public cloud flow.

TylerLeonhardt on Apr 14, 2023

Nice! Great minds think alike 😄

I think the signature of providerOptions in your draft could be made more generic, i.e. unknown, assuming that there aren’t problems with crossing process boundaries or something.

bwateratmsft on Feb 16, 2023

Also GCC-H clouds are a thing. Just wanted to call that out as I am merging an issue about that with this issue.

TylerLeonhardt on Dec 8, 2022

Relating to the questions that @TylerLeonhardt raised, I can offer some insights from how the Azure Account extension does things.

There are two ways to log in to a sovereign cloud in the Azure Account extension. The first is to set some VSCode settings, and then log in. The second is a separate login command, “Log in to Azure Cloud…”, which first prompts for which sovereign cloud to log in to, and then sets the setting, and then proceeds with login as normal.

I think that both a setting in the auth provider extension and an input hack like VSCODE_CLIENT_ID would be helpful. The former would be ideal for users that want to configure every Azure extension all from one place. The latter would be good if there was an extension that wanted to reach “across” to a separate sovereign cloud. I saw in source code that the default login URL, microsoftonline.com, is hardcoded; I think that the default could be controlled by the setting, while including the ability to override with something like the VSCODE_CLIENT_ID.

@jingloumsft I know we have some sovereign cloud accounts for testing, can we share these with Tyler?

bwateratmsft on Oct 27, 2022

Couple of questions I need to answer:

Can we leave it up to the extension to ask for a particular Cloud? Or does the User have to start a specific “Azure Cloud” flow? (example in the wild: currently the Azure Account extension asks the user to choose Azure or Azure Cloud)
- If the later, can we do so without disrupting the users flow today since 99% of customers don’t know and don’t need to know what an Azure Cloud is? (ex: GitHub Enterprise is a separate auth provider that is only enabled if the user applies a setting github-authentication.uri)
- If the former, do we want to tack on more scope hacks similar to VSCODE_CLIENT_ID or finally allow a property bag of provider specific configuration?
Can vscode.dev, a service not hosted in an Azure Cloud, do a POST request to /{tenant}/oauth2/v2.0/token or will it be blocked?
To have confidence, I will want to validate this works in all Azure Clouds. What’s the process for getting an account in each of these clouds?

TylerLeonhardt on Oct 3, 2022