Environment
- OS: Windows 11 Enterprise (domain-joined, AD/Entra ID)
- VS Code: latest
- Extension: github.vscode-pull-request-github (latest)
- GitHub Enterprise Server or GitHub Enterprise Cloud with SAML SSO
Description
On domain-joined Windows machines with GitHub Enterprise configured for SAML SSO (backed by Azure AD / Entra ID), the extension's OAuth device flow does not integrate with the Windows credential manager or SSPI. Users must re-authenticate in a browser popup every session, even though their identity is already established via the corporate IdP.
Additionally, when a GHE instance sits behind an authenticating proxy that issues NTLM/Kerberos challenges, the extension's HTTP client cannot complete the proxy handshake, resulting in 407 Proxy Authentication Required errors. VS Code core handles NTLM proxy auth for its own requests, but extensions using the @octokit/rest HTTP client do not inherit this handling.
Steps to Reproduce
- Domain-joined Windows machine, corp GHE with SAML SSO enabled
- Configure the extension with the GHE URL
- Authenticate — browser flow completes, token stored
- Next day / after SSO token rotation: extension shows authentication error or stale credential prompt
- On proxy-gated networks: observe 407 errors in extension output channel
Expected vs Actual Behavior
Expected: Extension integrates with Windows credential manager for token persistence across SSO rotations, and routes through NTLM/Kerberos proxy without separate configuration.
Actual: Users must re-authenticate manually after each SSO session rotation; proxy authentication is not handled.
Additional Context
Issue #701 tracks basic http.proxy support. This is distinct: it covers NTLM/Kerberos proxy auth (Windows-specific challenge-response) and SSO session lifecycle integration, neither of which is addressed by a simple proxy URL setting.
Environment
Description
On domain-joined Windows machines with GitHub Enterprise configured for SAML SSO (backed by Azure AD / Entra ID), the extension's OAuth device flow does not integrate with the Windows credential manager or SSPI. Users must re-authenticate in a browser popup every session, even though their identity is already established via the corporate IdP.
Additionally, when a GHE instance sits behind an authenticating proxy that issues NTLM/Kerberos challenges, the extension's HTTP client cannot complete the proxy handshake, resulting in 407 Proxy Authentication Required errors. VS Code core handles NTLM proxy auth for its own requests, but extensions using the @octokit/rest HTTP client do not inherit this handling.
Steps to Reproduce
Expected vs Actual Behavior
Expected: Extension integrates with Windows credential manager for token persistence across SSO rotations, and routes through NTLM/Kerberos proxy without separate configuration.
Actual: Users must re-authenticate manually after each SSO session rotation; proxy authentication is not handled.
Additional Context
Issue #701 tracks basic http.proxy support. This is distinct: it covers NTLM/Kerberos proxy auth (Windows-specific challenge-response) and SSO session lifecycle integration, neither of which is addressed by a simple proxy URL setting.