From 09c344391538845bd8a2b0c115871c42b0ecad4c Mon Sep 17 00:00:00 2001 From: Jason Ginchereau Date: Mon, 9 Feb 2026 13:33:17 -1000 Subject: [PATCH] Add bearer auth tunnel option --- cs/src/Contracts/TunnelOptions.cs | 25 +++++++++++++++++++ go/tunnels/tunnel_options.go | 20 +++++++++++++++ go/tunnels/tunnels.go | 2 +- .../tunnels/contracts/TunnelOptions.java | 23 +++++++++++++++++ rs/src/contracts/tunnel_options.rs | 21 ++++++++++++++++ ts/src/connections/package.json | 4 +-- ts/src/contracts/tunnelOptions.ts | 22 ++++++++++++++++ ts/src/management/package.json | 2 +- 8 files changed, 115 insertions(+), 4 deletions(-) diff --git a/cs/src/Contracts/TunnelOptions.cs b/cs/src/Contracts/TunnelOptions.cs index b6690cc1..10be1ed0 100644 --- a/cs/src/Contracts/TunnelOptions.cs +++ b/cs/src/Contracts/TunnelOptions.cs @@ -95,6 +95,31 @@ public class TunnelOptions [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingDefault)] public bool? IsPartitionedSiteAuthenticationEnabled { get; set; } + /// + /// Gets or sets a value indicating whether web requests to the tunnel or port can be directly + /// authenticated with bearer token authentication by supplying an `Authorization` header with + /// an Entra ID or GitHub token of a user with access to the tunnel. The default is false, + /// which means only the tunnel web authentication cookie or `X-Tunnel-Authorization` header + /// can be used for authenticating web requests to the tunnel. + /// + /// + /// When this option is enabled, AND neither a tunnel web authentication cookie nor an + /// `X-Tunnel-Authorization` header is present in a web request, the tunnel relay will attempt + /// to authenticate the request using the `Authorization` header with Entra ID or GitHub + /// credentials. In that case the `Authorization` header will be stripped from the request + /// before it is forwarded to the host application. + /// + /// Enabling this option may be desirable for API tunnels, where clients are likely to have + /// better support for bearer token authentication using the `Authorization` header. However, + /// interception of that header could block host applications which themselves implement + /// bearer token authentication, which is why this option is disabled by default. + /// + /// This option does not apply to the tunnel management API, which always supports bearer + /// token authentication using the `Authorization` header. + /// + [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingDefault)] + public bool? IsBearerTokenAuthenticationEnabled { get; set; } + /// /// Gets or sets the timeout for HTTP requests to the tunnel or port. /// diff --git a/go/tunnels/tunnel_options.go b/go/tunnels/tunnel_options.go index fcddc61b..b887d171 100644 --- a/go/tunnels/tunnel_options.go +++ b/go/tunnels/tunnel_options.go @@ -59,6 +59,26 @@ type TunnelOptions struct { // do not support partitioning. IsPartitionedSiteAuthenticationEnabled bool `json:"isPartitionedSiteAuthenticationEnabled,omitempty"` + // Gets or sets a value indicating whether web requests to the tunnel or port can be + // directly authenticated with bearer token authentication by supplying an + // `Authorization` header with an Entra ID or GitHub token of a user with access to the + // tunnel. The default is false, which means only the tunnel web authentication cookie or + // `X-Tunnel-Authorization` header can be used for authenticating web requests to the + // tunnel. + // + // When this option is enabled, AND neither a tunnel web authentication cookie nor an + // `X-Tunnel-Authorization` header is present in a web request, the tunnel relay will + // attempt to authenticate the request using the `Authorization` header with Entra ID or + // GitHub credentials. In that case the `Authorization` header will be stripped from the + // request before it is forwarded to the host application. Enabling this option may be + // desirable for API tunnels, where clients are likely to have better support for bearer + // token authentication using the `Authorization` header. However, interception of that + // header could block host applications which themselves implement bearer token + // authentication, which is why this option is disabled by default. This option does not + // apply to the tunnel management API, which always supports bearer token authentication + // using the `Authorization` header. + IsBearerTokenAuthenticationEnabled bool `json:"isBearerTokenAuthenticationEnabled,omitempty"` + // Gets or sets the timeout for HTTP requests to the tunnel or port. // // The default timeout is 100 seconds. Set this to 0 to disable the timeout. The timeout diff --git a/go/tunnels/tunnels.go b/go/tunnels/tunnels.go index 5e7e2c48..9f9126cc 100644 --- a/go/tunnels/tunnels.go +++ b/go/tunnels/tunnels.go @@ -10,7 +10,7 @@ import ( "github.com/rodaine/table" ) -const PackageVersion = "0.1.19" +const PackageVersion = "0.1.20" func (tunnel *Tunnel) requestObject() (*Tunnel, error) { convertedTunnel := &Tunnel{ diff --git a/java/src/main/java/com/microsoft/tunnels/contracts/TunnelOptions.java b/java/src/main/java/com/microsoft/tunnels/contracts/TunnelOptions.java index e43b486d..a0b0a224 100644 --- a/java/src/main/java/com/microsoft/tunnels/contracts/TunnelOptions.java +++ b/java/src/main/java/com/microsoft/tunnels/contracts/TunnelOptions.java @@ -88,6 +88,29 @@ public class TunnelOptions { @Expose public boolean isPartitionedSiteAuthenticationEnabled; + /** + * Gets or sets a value indicating whether web requests to the tunnel or port can be + * directly authenticated with bearer token authentication by supplying an + * `Authorization` header with an Entra ID or GitHub token of a user with access to + * the tunnel. The default is false, which means only the tunnel web authentication + * cookie or `X-Tunnel-Authorization` header can be used for authenticating web + * requests to the tunnel. + * + * When this option is enabled, AND neither a tunnel web authentication cookie nor an + * `X-Tunnel-Authorization` header is present in a web request, the tunnel relay will + * attempt to authenticate the request using the `Authorization` header with Entra ID + * or GitHub credentials. In that case the `Authorization` header will be stripped + * from the request before it is forwarded to the host application. Enabling this + * option may be desirable for API tunnels, where clients are likely to have better + * support for bearer token authentication using the `Authorization` header. However, + * interception of that header could block host applications which themselves + * implement bearer token authentication, which is why this option is disabled by + * default. This option does not apply to the tunnel management API, which always + * supports bearer token authentication using the `Authorization` header. + */ + @Expose + public boolean isBearerTokenAuthenticationEnabled; + /** * Gets or sets the timeout for HTTP requests to the tunnel or port. * diff --git a/rs/src/contracts/tunnel_options.rs b/rs/src/contracts/tunnel_options.rs index ed62c933..64df7139 100644 --- a/rs/src/contracts/tunnel_options.rs +++ b/rs/src/contracts/tunnel_options.rs @@ -70,6 +70,27 @@ pub struct TunnelOptions { #[serde(default)] pub is_partitioned_site_authentication_enabled: Option, + // Gets or sets a value indicating whether web requests to the tunnel or port can be + // directly authenticated with bearer token authentication by supplying an + // `Authorization` header with an Entra ID or GitHub token of a user with access to + // the tunnel. The default is false, which means only the tunnel web authentication + // cookie or `X-Tunnel-Authorization` header can be used for authenticating web + // requests to the tunnel. + // + // When this option is enabled, AND neither a tunnel web authentication cookie nor an + // `X-Tunnel-Authorization` header is present in a web request, the tunnel relay will + // attempt to authenticate the request using the `Authorization` header with Entra ID + // or GitHub credentials. In that case the `Authorization` header will be stripped + // from the request before it is forwarded to the host application. Enabling this + // option may be desirable for API tunnels, where clients are likely to have better + // support for bearer token authentication using the `Authorization` header. However, + // interception of that header could block host applications which themselves + // implement bearer token authentication, which is why this option is disabled by + // default. This option does not apply to the tunnel management API, which always + // supports bearer token authentication using the `Authorization` header. + #[serde(default)] + pub is_bearer_token_authentication_enabled: Option, + // Gets or sets the timeout for HTTP requests to the tunnel or port. // // The default timeout is 100 seconds. Set this to 0 to disable the timeout. The diff --git a/ts/src/connections/package.json b/ts/src/connections/package.json index fab103f3..53888fa6 100644 --- a/ts/src/connections/package.json +++ b/ts/src/connections/package.json @@ -18,8 +18,8 @@ "buffer": "^5.2.1", "debug": "^4.1.1", "vscode-jsonrpc": "^4.0.0", - "@microsoft/dev-tunnels-contracts": "^1.3.7", - "@microsoft/dev-tunnels-management": "^1.3.7", + "@microsoft/dev-tunnels-contracts": "^1.3.8", + "@microsoft/dev-tunnels-management": "^1.3.8", "@microsoft/dev-tunnels-ssh": "^3.12.12", "@microsoft/dev-tunnels-ssh-tcp": "^3.12.12", "uuid": "^3.3.3", diff --git a/ts/src/contracts/tunnelOptions.ts b/ts/src/contracts/tunnelOptions.ts index 70c71ddb..ddec8445 100644 --- a/ts/src/contracts/tunnelOptions.ts +++ b/ts/src/contracts/tunnelOptions.ts @@ -77,6 +77,28 @@ export interface TunnelOptions { */ isPartitionedSiteAuthenticationEnabled?: boolean; + /** + * Gets or sets a value indicating whether web requests to the tunnel or port can be + * directly authenticated with bearer token authentication by supplying an + * `Authorization` header with an Entra ID or GitHub token of a user with access to + * the tunnel. The default is false, which means only the tunnel web authentication + * cookie or `X-Tunnel-Authorization` header can be used for authenticating web + * requests to the tunnel. + * + * When this option is enabled, AND neither a tunnel web authentication cookie nor an + * `X-Tunnel-Authorization` header is present in a web request, the tunnel relay will + * attempt to authenticate the request using the `Authorization` header with Entra ID + * or GitHub credentials. In that case the `Authorization` header will be stripped + * from the request before it is forwarded to the host application. Enabling this + * option may be desirable for API tunnels, where clients are likely to have better + * support for bearer token authentication using the `Authorization` header. However, + * interception of that header could block host applications which themselves + * implement bearer token authentication, which is why this option is disabled by + * default. This option does not apply to the tunnel management API, which always + * supports bearer token authentication using the `Authorization` header. + */ + isBearerTokenAuthenticationEnabled?: boolean; + /** * Gets or sets the timeout for HTTP requests to the tunnel or port. * diff --git a/ts/src/management/package.json b/ts/src/management/package.json index 47c13026..f390aead 100644 --- a/ts/src/management/package.json +++ b/ts/src/management/package.json @@ -18,7 +18,7 @@ "buffer": "^5.2.1", "debug": "^4.1.1", "vscode-jsonrpc": "^4.0.0", - "@microsoft/dev-tunnels-contracts": "^1.3.7", + "@microsoft/dev-tunnels-contracts": "^1.3.8", "axios": "^1.8.4" } }