Remove need for manual copy/paste of SAS Authorization Code (was: SAS Token SSO Authentication for SAS Viya Connection with Keycloak)

[nrineausanofi]

Describe the feature request
We would like to have Single Sign-On (SSO) authentication support when connecting to SAS Viya using the SAS extension in VSCode. Currently, even though the user is already authenticated via Keycloak, the SAS extension does not handle the existing SSO session properly, resulting in several steps and clicks required to retrieve and manually input a token each time the pod is relaunched.

Steps to reproduce the behavior:

The user logs into the eWise application using Keycloak for SSO authentication.
After successful authentication, the user opens VSCode by triggering Kubeflow, which validates the Keycloak session.
Kubeflow launches a Kubernetes pod running code-server (VSCode) with a default user image.
Once VSCode is launched, the user attempts to connect to SAS Viya using the SAS extension.
Despite having an existing Keycloak SSO session, the user is required to manually copy and paste the token every time the pod is relaunched. Since the SAS token is stored in the pod, this process needs to be repeated each time, adding unnecessary complexity.
Expected behavior
The SAS extension in VSCode should automatically recognize the active SSO session authenticated via Keycloak when connecting to SAS Viya. It should authenticate seamlessly without requiring the user to re-enter credentials or manually copy and paste the token.

Environment (please complete the following information):

code-server version: 1.5.3
Kubeflow version: 0.10
EKS version: 1.29
Extension version: v1.5.0-sanofi
SAS version: Long-Term Support 2024.03
Keycloak version: 24.05
Additional context

The authentication chain is as follows: The user authenticates with Keycloak in the eWise application → Opens VSCode through Kubeflow → Kubeflow validates the Keycloak session and launches a code-server pod → The user attempts to connect to SAS Viya through the SAS extension.
Both eWise and SAS Viya are configured to use the same Keycloak realm for authentication.

[snlwih]

Hi @nrineausanofi , I had a virtual call with Alexandre and Benjamin a few weeks ago, before I went on a long vacation, and as a product manager would like to double check some things to help the developers understand more context about this request.

It was my understanding that SAS Studio worked fine in this SSO setup even though the SAS Viya pods were relaunched as well. And this SSO setup was accomplished using standard configuration settings in SAS Viya. When going to the SAS Studio URL, the webapp recognized that SAS Viya was configured for SSO and the Studio and Compute session were started without the user ever providing credentials. Did I understand this correctly or did my vacation blur my memory?

Reason for asking is that we brainstormed during our meeting that if SAS Viya webapps, like SAS Studio, support this seamlessly, then we should look into making the SAS Extension for VSCode behave the same way. This would then remove the need to provide credentials "all the time" even for these very transient VSCode environments running on a Linux webapp server.

As you might know, the SAS extension normally asks the user for credentials only during the first connect and then requests an OAuth Viya Access Token, which the user then has to copy/paste from the web browser window into the VSCode panel shown by the SAS extension. The SAS Extension then uses this to request a Viya Refresh Token which it then stores this in the VSCode SecretStorage API and used to create future sessions. Normally the user only has to go through this manual process on their first connection to SAS Viya as long as they connect at least once before the Refresh Token expires. This token expiration time defaults to 14 days (I think) and can be configured by the SAS/Kubernetes administratror.

For your setup where the pod containing the VSCode install is relaunched quite frequently, my guess would be that the VSCode SecretStorage API persist that Viya refresh token in a location that does not survive a pod relaunch. And that might be why you are seeing that the extension asks for credentials after each pod relaunch. Did some quick Google searches and it seems that this VSCode API can be configured at the Linux server level, so perhaps that could be used to have the Viya Refresh Token persist across pod relaunches? Have you considered that option? Don't understand me wrong, I understand that is not true SSO. But perhaps it could help as long as there is no SSO support in the extension?

[snlwih]

Hi Nicolas (@nrineausanofi),

Have thought about this a bit more and am wondering if this is "simply" about removing the need for the manual copy/paste of the Authorization Token that is shown in a browser window when the SAS Extension performs its first connection to a SAS Viya 4 server even when SSO is in use? That browser window is shown both for user/pass and SSO authentication when the SAS Extension can't find a valid (unexpired) Refresh Token for the SAS Viya server.

In a "standard" setup, where VS Code is permanently installed and SSO is configured for Viya, the SAS Extension will look for a valid Viya Refresh Token in the VS Code SecretsStorage API and when found requests a session token (and probably a new refresh token as well) without the user being prompted for anything. So only on the first connection to Viya, or to be more precise on first connection and when the Refresh Token has expired, it will show the browser window with an Authorization Token and only then the user needs to manually copy/paste it from browser window to the entry field displayed by the SAS extension inside the VS Code window.

Now what is different in your environment is that you are using the web version of VS Code and it lives in a pod that is relaunched regularly. So whenever the pod is relaunched, probably the "contents of the VS Code SecretsStorage API" disappears, so the SAS Extension has no Viya Refresh Token and the user has to go through the "manual copy/paste Authorization Token" step again.

Am I getting close?

If so, then I will change the title of this issue to something like "Remove need for manual copy of authorization token for initial Viya SSO connection".

Thanks,
Wilbram