frequent reauthentication (github enterprise with SSO)

[Haarr]

After setting vim.g.copilot_auth_provider_url and authenticating, the extension works superbly.

But the token for copilot.vim is valid as long as your SSO session lasts. Typically 24 hours. This leads to frequent reauthentication. I believe VSCode manages a refresh token so you do not have to reauthenticate.

Is it feasible to support refresh tokens? If not, do you have any ideas for a workaround?

[tpope]

After setting vim.g.copilot_auth_provider_url and authenticating, the extension works superbly.

But the token for copilot.vim is valid as long as your SSO session lasts. Typically 24 hours. This leads to frequent reauthentication.

Not immediately obvious what this would be. I have not historically had this problem when testing copilot_auth_provider_url. (Kicking off a fresh attempt to see what happens tomorrow.)

I believe VSCode manages a refresh token so you do not have to reauthenticate.

Do you have any evidence to support that? It's a good guess for sure, but when I look at the code, I don't see the telltale refresh_token anywhere.

Can you tell me how exactly the problem is manifesting for you? Do you get an error message? Anything interesting in :Copilot log?

[tpope]

And can you tell me what's happening at /settings/apps/authorizations for your auth provider URL? Does the "GitHub Copilot Plugin" disappear or change in any way after you've been signed out against your will?

[Haarr]

Can you tell me how exactly the problem is manifesting for you? Do you get an error message? Anything interesting in :Copilot log?

Start neovim. Notice copilot is not suggesting anything. :Copilot signin --> complete flow. Works again. No messages, nothing particularly interesting in the logs that I have noticed, but I will keep an eye out.

And can you tell me what's happening at /settings/apps/authorizations

Sadly, I do not have privileges.

Do you have any evidence to support that? It's a good guess for sure, but when I look at the code, I don't see the telltale refresh_token anywhere.

No. Have to agree with you there. I jumped to the conclusion because vscode with the same enterprise+SSO setup requires a single sign-on and no reauthentication.

Maybe close this if you don't see the same behaviour and I can reopen if I find something more tangible.

[tpope]

Can you tell me how exactly the problem is manifesting for you? Do you get an error message? Anything interesting in :Copilot log?

Start neovim. Notice copilot is not suggesting anything. :Copilot signin --> complete flow. Works again. No messages, nothing particularly interesting in the logs that I have noticed, but I will keep an eye out.

Is restarting required to reproduce the problem? If you leave Neovim running, does it continue to work?

And can you tell me what's happening at /settings/apps/authorizations

Sadly, I do not have privileges.

This just Settings > Applications > Authorized GitHub Apps. Can you navigate to that?

[Haarr]

Is restarting required to reproduce the problem? If you leave Neovim running, does it continue to work?

Seems like it. Had nvim running since Friday, :Copilot status yields ready. Restarted nvim --> :Copilot log from after restart:

[2025-04-26 23:30:50] [INFO] [lsp] GitHub Copilot Language Server 1.303.0 initialized
[2025-04-26 23:30:50] [INFO] [certificates] Removed 4 expired certificates
[2025-04-26 23:30:50] [INFO] [auth] Failed to get copilot token due to 401 status. Please sign out and try again.
[2025-04-26 23:31:32] [INFO] [auth] Failed to get copilot token due to 401 status. Please sign out and try again.

Works after signing in. Could the expired certificates somehow be relevant? Appears each time I restart. But copilot.vim does not require reauthentication everytime I restart neovim. Just when restarting after some time has gone by.

This just Settings > Applications > Authorized GitHub Apps. Can you navigate to that?

Yes ofc, my bad. No change there. There are however entries in /settings/security_log for each authentication.

Reauthenticated with nvim and vscode to spot differences. Provoking reauth for vscode required explicitly signing the user out of github and back in. Not sure if relevant, but oauth_application_name was not present for copilot.vim entry and token_scopes was user:email for vscode and blank for copilot.vim.

Field	VSCode	copilot.vim
action	oauth_access.regenerate	oauth_access.regenerate
oauth_application_name	VSCode	Field not present
operation_type	modify	modify
request_access_security_header	nil	nil
token_scopes	user:email	[field present, but value blank]
user_agent	Mozilla ...	GithubCopilot/1.303.0

Other fields present in both entries: @timestamp, _document_id, business, created_at, hashed_token, token_id, user, user_id

[tpope]

Seems like it. Had nvim running since Friday, :Copilot status yields ready.

Verify it actually completes something. Status remains "ready" until there's an error.

Could the expired certificates somehow be relevant?

No, that's harmless.

[Haarr]

Seems like it. Had nvim running since Friday, :Copilot status yields ready.

Verify it actually completes something. Status remains "ready" until there's an error.

Aha, but I did complete with it also 👍

Edit:

Maybe I was wrong. The session I had running since last night did not complete anything. :Copilot status was ready, after going into insert mode it did not complete anything, but no message and nothing in logs. :Copilot status then gave Copilot: Error: Your GitHub token is invalid. Try signing in again.

[Haarr]

I notice that the two Oauth apps I have for my account is vscode and gh cli. The gh cli login is also very sticky.

One could piggyback on gh cli e.g. gh auth token --hostname oktocorp.ghe.com through a setting like g:copilot_use_gh_auth