Trusted Extensions for Authentication Providers (vscode-style Trust Mechanism) #16194
Replies: 1 comment
-
|
@chroberino Thanks for bringing this up! This certainly is a very relevant topic. I think there is two sides to it:
For Theia, one challenge is to maintain a certain compatibility with the VSIX format. So I'd prefer a solution that is orthogonal to the VSIX format. That being said, in custom Theia-based tools, using a customization, we could (and has been done afaik) enforce installation checks by providing a list of verified extensions (e.g. ID+checksum) and ensure only those can be installed. For Open-VSX, it could make sense to align with open-vsx. In open-vsx there is also the concept of verified publishers. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I’d like to explore the possibility of introducing a mechanism in Theia that enables trusted extensions to reuse authentication sessions or credentials/tokens/etc. -- similar to how VS Code handles authentication provider trust.
In VS Code, users can click “Manage Trusted Extensions” per account (e.g. GitHub) to see which extensions are reusing the authentication and configure or deny access on a per-extension basis (see screenshots). Often, trust is pre-established based on publisher identity, with the option for manual overrides.
My use case in Theia:
This is essential for cyber security, as SSO sessions can grant broad access to backend systems.
Questions
For context, I don’t necessarily require a full UI like VS Code’s “Manage Trusted Extensions” dialog. The core need is a way to enforce trust in code -- for example, by ensuring only known, verified extensions can access authentication sessions.
However, if such trust enforcement cannot be reliably done in code alone, it may be necessary to delegate the decision to users or administrators, allowing them to explicitly define which extensions they trust to access sensitive authentication data.
Trust via Extension IDs?
One obvious mechanism would be to specify trusted extension IDs, but this raises concerns: In the current ecosystem, there’s no guarantee that an extension ID (e.g.
publisher.extension) uniquely identifies a trusted party. Any extension could potentially use a well-known ID unless Theia verifies the publisher or origin.If an extension is installed via
.vsixrather than the Marketplace, the runtime cannot verify the claimed publisher identity. This makes it possible for a malicious extension to spoof a trusted ID.In VS Code, some level of identity enforcement exists for Marketplace-installed extensions through publisher signatures, but even there, this breaks down with direct
.vsixinstalls.This suggests that trust enforcement would need to be backed by some form of signature, publisher verification, or isolated packaging, rather than just string comparisons.
This highlights the need for a stronger trust model -- ideally one that:
Side Note: I came across #15741, which touches on GitHub SSO behavior in Theia. It seems loosely related in terms of authentication/session management, which makes me wonder if there's already groundwork in Theia around account/session access policies.
Beta Was this translation helpful? Give feedback.
All reactions