Skip to content

GitHub Enterprise: Windows SSPI/Kerberos credential provider not used for GHE SSO authentication #8818

Description

@chirag127

Environment

  • OS: Windows 11 Enterprise (domain-joined, AD/Entra ID)
  • VS Code: latest
  • Extension: github.vscode-pull-request-github (latest)
  • GitHub Enterprise Server or GitHub Enterprise Cloud with SAML SSO

Description

On domain-joined Windows machines with GitHub Enterprise configured for SAML SSO (backed by Azure AD / Entra ID), the extension's OAuth device flow does not integrate with the Windows credential manager or SSPI. Users must re-authenticate in a browser popup every session, even though their identity is already established via the corporate IdP.

Additionally, when a GHE instance sits behind an authenticating proxy that issues NTLM/Kerberos challenges, the extension's HTTP client cannot complete the proxy handshake, resulting in 407 Proxy Authentication Required errors. VS Code core handles NTLM proxy auth for its own requests, but extensions using the @octokit/rest HTTP client do not inherit this handling.

Steps to Reproduce

  1. Domain-joined Windows machine, corp GHE with SAML SSO enabled
  2. Configure the extension with the GHE URL
  3. Authenticate — browser flow completes, token stored
  4. Next day / after SSO token rotation: extension shows authentication error or stale credential prompt
  5. On proxy-gated networks: observe 407 errors in extension output channel

Expected vs Actual Behavior

Expected: Extension integrates with Windows credential manager for token persistence across SSO rotations, and routes through NTLM/Kerberos proxy without separate configuration.

Actual: Users must re-authenticate manually after each SSO session rotation; proxy authentication is not handled.

Additional Context

Issue #701 tracks basic http.proxy support. This is distinct: it covers NTLM/Kerberos proxy auth (Windows-specific challenge-response) and SSO session lifecycle integration, neither of which is addressed by a simple proxy URL setting.

Metadata

Metadata

Assignees

Labels

feature-requestRequest for new features or functionality

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions