Cache auth tokens client-side to dedupe agent host authenticate RPCs#312017
Merged
roblourens merged 2 commits intomainfrom Apr 22, 2026
Merged
Cache auth tokens client-side to dedupe agent host authenticate RPCs#312017roblourens merged 2 commits intomainfrom
roblourens merged 2 commits intomainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds client-side deduplication of agent-host authenticate RPCs by caching the last token sent per protected resource, reducing redundant auth calls triggered by repeated root-state and auth-session events.
Changes:
- Introduces
AgentHostAuthTokenCacheto track last-sent tokens per resource and determine whether anauthenticateRPC is necessary. - Applies token-dedupe behavior to both local (
AgentHostContribution) and remote (RemoteAgentHostContribution) agent-host authentication flows (including interactive auth seeding). - Adds unit tests for the cache and integration-style tests validating dedupe behavior through the real contribution auth path.
Show a summary per file
| File | Description |
|---|---|
| src/vs/workbench/contrib/chat/test/browser/agentSessions/agentHostChatContribution.test.ts | Adds integration tests asserting authenticate RPCs are deduped across rootState changes and token rotation. |
| src/vs/workbench/contrib/chat/test/browser/agentSessions/agentHostAuth.test.ts | Adds unit tests for AgentHostAuthTokenCache. |
| src/vs/workbench/contrib/chat/browser/agentSessions/agentHost/agentHostChatContribution.ts | Adds token caching + dedupe to local agent-host authentication, and seeds cache from interactive auth. |
| src/vs/workbench/contrib/chat/browser/agentSessions/agentHost/agentHostAuth.ts | Introduces AgentHostAuthTokenCache. |
| src/vs/sessions/contrib/remoteAgentHost/browser/remoteAgentHost.contribution.ts | Adds token caching + dedupe to remote agent-host authentication and interactive auth path. |
Copilot's findings
Comments suppressed due to low confidence (2)
src/vs/sessions/contrib/remoteAgentHost/browser/remoteAgentHost.contribution.ts:568
- In the interactive auth flow, the cache is updated before calling
authenticatewhen a token is already resolvable. If that call fails, the cache will treat the token as current and may suppress subsequent retries. Consider seeding the cache only afterauthenticatesucceeds (or reverting the update on error).
const token = await this._resolveTokenForResource(resourceUri, resource.authorization_servers ?? [], resource.scopes_supported ?? []);
if (token) {
authTokenCache?.updateAndIsChanged(resource.resource, token);
await loggedConnection.authenticate({
resource: resource.resource,
token,
});
src/vs/workbench/contrib/chat/browser/agentSessions/agentHost/agentHostChatContribution.ts:322
- In the interactive auth path, the cache is updated before calling
authenticatewhen a token is already resolvable. If the RPC fails, the cache will still treat the token as current and future auth passes may be skipped even though the server never received/accepted it. Updating the cache only after a successfulauthenticate(or rolling back on failure) would avoid this failure mode.
const resolved = await resolveTokenForResource(resourceUri, resource.authorization_servers || [], resource.scopes_supported || [], this._authenticationService, this._logService, '[AgentHost]');
if (resolved) {
this._authTokenCache.updateAndIsChanged(resource.resource, resolved);
await this._loggedConnection!.authenticate({
resource: resource.resource,
token: resolved,
});
- Files reviewed: 5/5 changed files
- Comments generated: 3
The local and remote agent host contributions were re-firing 'authenticate' RPCs on every rootState change, every default-account change, and every VS Code auth session even when the token had not changed. Thechange server-side string compare absorbed this, producing repeated '[Copilot] Auth token unchanged' log lines for every redundant call. Add an AgentHostAuthTokenCache that tracks the last token sent per protected-resource URI. Skip the RPC when the token is unchanged. Cache lifetime is per-contribution for the local agent host and per-connection for remote agent hosts (so it's dropped on disconnect). Tests: - 5 unit tests for AgentHostAuthTokenCache (first/repeat/rotate/per-URI/clear) - 3 integration tests against AgentHostContribution exercising the real _authenticateWithServer path (dedupe holds, rotation re-fires, no-token is a no-op) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
roblourens
force-pushed
the
roblou/agents/client-authentication-issue-exploration
branch
from
05216b9 to
35d38d7
Compare
- Seed the auth token cache only after a successful authenticate RPC (not before) so a transient RPC failure doesn't suppress future retries - On RPC failure, evict the per-resource cache entry so the next auth pass will retry that resource - Clear the entire cache when the local agent host process (re)starts, preventing the first post-restart authenticate from being skipped as 'token unchanged' - Same fixes applied to the remote agent host contribution Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Screenshot ChangesBase: Changed (2)
|
| Before | After |
|---|---|
 |
 |
editor/inlineCompletions/other/JumpToHint/Dark
| Before | After |
|---|---|
 |
 |
bryanchen-d
approved these changes
Apr 22, 2026
roblourens
deleted the
roblou/agents/client-authentication-issue-exploration
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The local and remote agent host contributions were re-firing
authenticateRPCs on every rootState change, every default-account change, and every VS Code auth session change — even when the token had not changed. The server-side string compare absorbed this, producing repeated[Copilot] Auth token unchangedlog lines for every redundant call.Fix
Add an
AgentHostAuthTokenCachethat tracks the last token sent per protected-resource URI. Skip the RPC when the token is unchanged.ConnectionState, so it's dropped on disconnect.The cache is also seeded from the interactive auth path so the first eager pass doesn't re-fire after an interactive sign-in.
Tests
AgentHostAuthTokenCache(first token / repeat unchanged / rotation / per-URI independence / clear)AgentHostContributionexercising the real_authenticateWithServerpath:rootStateevents → exactly 1authenticatecall(Written by Copilot)