Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
VSCode reconnection issues for remote connections #1776
To fix on Mac, bring up the keychain and delete the most recent codewind refresh token, then stop and start the remote connection to force a login.
It sounds like the IDE has cached a bad / expired access token and tries to use that when re-establishing a connection to the UI socket. I noticed when I manually deleted the access_token and refresh_token from the keychain that they were not re-created when toggling the connection off/on from the connections list button. (only going through the connections screen and re-saving the password did that - which then makes the connection work again). So that suggests that the IDE is not calling the cwctl to get a new set of tokens when re-starting the connection.
Doesn't the ability to refresh the access token rely on the current access token being valid? If it does, and this scenario is causing the access token to be invalidated (as opposed to just being expired), then refreshing the token won't be enough, we'll need to re-authenticate.
I assume that underlying this is that when the gatekeeper sees the current access token being presented from an IP address that differs from the one it was issued on, it rejects/invalidates it.
@jopit the refresh-token contains enough information for Keycloak to determine the user and works independently of any previously issued access-tokens. The refresh-token can be used instead of a username:password to request an access-token through cwctl but unlike username:passwords the refresh token has a much shorter lifespan making them more suitable for session based caching.
Refresh tokens should be sent to
Important points here are:
access-tokens expire before refresh-tokens
For Socket IO connections the behaviour is a little different.
When the IDE connects to the Codewind UISocket it must emit an authentication event with a access-token payload. The access-token must be valid (not expired) and must have originated from a Keycloak service trusted by the Codewind deployment. Codewind will check the access-token and validate it using the realm and codewind-client public key stored in Keycloak. Assuming the access-token is good, the socket is considered authenticated and streaming of socket messages can proceed until such time as the socket connection disconnects.
Important point here is : socket IO connections remain authenticated beyond the lifespan of the access-token until the connection drops.
When the socket drops (which could be hours after the original connection) there is a very high chance the access-token originally used would have now expired. The socket IO protocol does not consume a refresh token. (refreshing a token is a cwctl task) and for that reason, a new access token should be requested via cwctl and presented in the follow-up socket reconnection attempts.
The IDE still has a choice of using the
You might ask, what's the point of using
So in short, when socket connections drop (for whatever reason) please use cwctl to request a new access_token and use that new access-token when reconnecting.
@tetchel I created #1870 because it will simplify the IDE calls to cwctl in that IDEs will only need to call
We'll keep both commands available in cwctl as it assists with troubleshooting tokens, but once #1870 lands IDEs should just use