Documentation issue: Source map authentication

[johncrim]

This issue is to obtain sufficient documentation for a claimed new feature to be used.

The release notes from the newest (Aug 2023) VS Code release says:

Source maps can now be automatically loaded from authenticated endpoints

That's great! But to use this, we need some more info:

• What types of authentication are supported? Basic Authentication, Digest Authentication, Client certs, OAuth/OpenID? Does it just figure it out really (if so I'm impressed!)? Is there a way to provide redirects eg for OpenID Connect?
• Does this work for multiple browser extensions? Eg can I use both the Chrome and MSEdge extensions to debug apps, while loading sourcemaps from authenticated endpoints?

I haven't been able to find any info on this in the release notes or VS Code docs. I would expect more info on the browser debugging page or the Node debugging page. This seems like a browser debugging feature, b/c securing source maps seems more critical for front-end code than back-end code.

[connor4312]

This refers to microsoft/vscode-js-debug#1772, which uses the browser's network stack if we can't externally request the sourcemaps. This allows any authentication state that may be present for the sourcemap's path (like auth cookies) to be given in the request. The full scope of what exactly is included and how redirects are handled are up to the browser.

[johncrim]

That's great! I really appreciate your work on this, it's a big deal! So whatever auth the browser can handle automatically, eg cookie auth or possibly client certs. Thank you for the additional info.

I do think that this should be reflected in the documentation, but my information needs are met (also feel free to paste into https://stackoverflow.com/questions/77090708/vs-code-aug-2023-how-can-source-maps-be-automatically-loaded-from-authenticated if you want some SO points).

Shall I leave it open for docs, or close it?

[connor4312]

I'm not sure what it'd be useful to say in the docs about it -- there's no configuration available for this behavior, it 'just happens'. What information about it do you think would be relevant for users?

[johncrim]

I was thinking something along the lines of:

Source Map Request Authentication

The VS Code JavaScript debugger uses the Chromium (Chrome or Edge) browser's network stack to make requests for source map files as of v1.82. This enables forms of authentication that are supported by the browser to be used for source map requests - for example cookie authentication, or client certificates. In other words, if the source map request is authenticated when requested from browser dev tools, the same authentication should be used when VS Code requests the file.

I think this should go on the browser debugging page. I searched and searched for any info on what sourcemap authentication is supported by User Agents and couldn't find anything useful.