Grant extensions access to OAuth tokens

Grant specific extensions access to OAuth authentication tokens in Microsoft Visual Studio Code by configuring the trustedExtensionAuthAccess field. This allows extensions that require access to services such as GitHub, Microsoft, or any other OAuth-enabled service to authenticate without manual intervention.

	"trustedExtensionAuthAccess": [
		"<publisher1>.<extension1>",
		"<publisher2>.<extension2>"
	]

Define the variable in the devfile or in a ConfigMap.

Use the trustedExtensionAuthAccess field with caution as it could potentially lead to security risks if misused. Give access only to trusted extensions.

Since the Microsoft Visual Studio Code editor is bundled within che-code image, you can only change the product.json file when the workspace is started up.

Prerequisites
  • An active kubectl session with administrative permissions to the Kubernetes cluster. See Overview of kubectl.

Procedure
  1. Define the VSCODE_TRUSTED_EXTENSIONS environment variable in devfile.yaml:

       env:
         - name: VSCODE_TRUSTED_EXTENSIONS
           value: "<publisher1>.<extension1>,<publisher2>.<extension2>"
  2. Alternatively, mount a ConfigMap with the VSCODE_TRUSTED_EXTENSIONS environment variable. With a ConfigMap, the variable is propagated to all your workspaces and you do not need to add the variable to each devfile you are using.

    kind: ConfigMap
    apiVersion: v1
    metadata:
      name: trusted-extensions
      labels:
        controller.devfile.io/mount-to-devworkspace: 'true'
        controller.devfile.io/watch-configmap: 'true'
      annotations:
        controller.devfile.io/mount-as: env
    data:
      VSCODE_TRUSTED_EXTENSIONS: '<publisher1>.<extension1>,<publisher2>.<extension2>'
Verification
  • Start or restart the workspace and verify that the trustedExtensionAuthAccess section is added to the product.json file.