fix(copilot): add token exchange and editor headers for corporate network compatibility#18782
fix(copilot): add token exchange and editor headers for corporate network compatibility#18782ykbytes wants to merge 1 commit intoanomalyco:devfrom
Conversation
github-actions
bot
added
needs:compliance
|
Thanks for your contribution! This PR doesn't have a linked issue. All PRs must reference an existing issue. Please:
See CONTRIBUTING.md for details. |
|
The following comment was made by an LLM, it may be inaccurate: Based on my search results, I found one potentially related PR: PR #14189: "fix(opencode): exchange OAuth token for Copilot JWT to fix GitHub Enterprise auth" This PR appears to address a similar issue - exchanging OAuth tokens for Copilot JWT. This could be related to your current PR's token exchange feature, though it was specifically for GitHub Enterprise auth. You should check if this PR was merged or closed, and whether it covers the corporate network SSL inspection scenario or if your PR extends/improves upon that work. |
…ate network compatibility The GitHub Copilot provider was sending the raw GitHub OAuth access token directly to api.githubcopilot.com. This works in some environments but fails on corporate networks with SSL inspection (e.g., Zscaler), causing requests to hang indefinitely with no error. VS Code, Zed, and other editors that work correctly on these networks perform a token exchange step first: 1. POST api.github.com/copilot_internal/v2/token with the OAuth token 2. Receive a short-lived Copilot session JWT + the correct API endpoint 3. Use the session JWT and resolved endpoint for API calls This commit adds: - Token exchange via copilot_internal/v2/token (with caching + TTL) - Dynamic API endpoint resolution from the token response (e.g., api.individual.githubcopilot.com vs api.githubcopilot.com) - Editor identification headers (Editor-Version, Editor-Plugin-Version, Copilot-Integration-Id) matching the expected format - VS Code OAuth Client ID (Iv1.b507a08c87ecfe98) - Graceful fallback to the raw OAuth token if exchange fails Fixes GitHub Copilot hanging on corporate networks with SSL inspection.
ykbytes
force-pushed
the
fix/copilot-token-exchange
branch
from
970301d to
f2b5e2a
Compare
github-actions
bot
removed
the
needs:compliance
|
Thanks for updating your PR! It now meets our contributing guidelines. 👍 |
1 participant
Issue for this PR
Closes #18785
Related: #14189 (similar token exchange fix for GitHub Enterprise auth)
Type of change
What does this PR do?
The Copilot plugin sends the raw GitHub OAuth token directly to api.githubcopilot.com. On corporate networks with SSL inspection, this causes requests to hang forever with no error.
I debugged this by comparing what VS Code and Zed do vs what OpenCode does. The difference: VS Code and Zed perform a token exchange before calling the Copilot API. OpenCode skips it entirely.
The flow VS Code uses:
GET api.github.com/copilot_internal/v2/tokenwith the OAuth token -> get a short-lived Copilot session JWT + the correct API endpointapi.individual.githubcopilot.com)OpenCode was skipping step 2 and sending the raw OAuth token to
api.githubcopilot.com(the generic endpoint from models.dev, not the user-specific one returned by the token exchange).This PR adds to
packages/opencode/src/plugin/copilot.ts:copilot_internal/v2/tokenwith caching and TTL-based expiryHow did you verify your code works?
api.individual.githubcopilot.com)bun run dev run 'say hi in 3 words'- got a successful response from gpt-4.1Screenshots / recordings
N/A - not a UI change
Checklist