Add option for partitioned auth cookies

Author: jasongin

cs/src/Contracts/TunnelOptions.cs

@@ -84,5 +84,15 @@ public class TunnelOptions
         /// </summary>
         [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingDefault)]
         public bool IsCrossSiteAuthenticationEnabled { get; set; }
+
+        /// <summary>
+        /// Gets or sets a value indicating whether the tunnel web-forwarding authentication cookie is set as
+        /// Partitioned (CHIPS). The default is false. This only applies to tunnels that require authentication.
+        /// </summary>
+        /// <remarks>
+        /// A partitioned cookie always also has SameSite=None for compatbility with browsers that do not support partitioning.
+        /// </remarks>
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingDefault)]
+        public bool IsPartitionedSiteAuthenticationEnabled { get; set; }
     }
 }

go/tunnels/tunnel_options.go

@@ -9,45 +9,53 @@ type TunnelOptions struct {
 	// Gets or sets a value indicating whether web-forwarding of this tunnel can run on any
 	// cluster (region) without redirecting to the home cluster. This is only applicable if
 	// the tunnel has a name and web-forwarding uses it.
-	IsGloballyAvailable              bool `json:"isGloballyAvailable,omitempty"`
+	IsGloballyAvailable                    bool `json:"isGloballyAvailable,omitempty"`
 
 	// Gets or sets a value for `Host` header rewriting to use in web-forwarding of this
 	// tunnel or port. By default, with this property null or empty, web-forwarding uses
 	// "localhost" to rewrite the header. Web-fowarding will use this property instead if it
 	// is not null or empty. Port-level option, if set, takes precedence over this option on
 	// the tunnel level. The option is ignored if IsHostHeaderUnchanged is true.
-	HostHeader                       string `json:"hostHeader,omitempty"`
+	HostHeader                             string `json:"hostHeader,omitempty"`
 
 	// Gets or sets a value indicating whether `Host` header is rewritten or the header value
 	// stays intact. By default, if false, web-forwarding rewrites the host header with the
 	// value from HostHeader property or "localhost". If true, the host header will be
 	// whatever the tunnel's web-forwarding host is, e.g. tunnel-name-8080.devtunnels.ms.
 	// Port-level option, if set, takes precedence over this option on the tunnel level.
-	IsHostHeaderUnchanged            bool `json:"isHostHeaderUnchanged,omitempty"`
+	IsHostHeaderUnchanged                  bool `json:"isHostHeaderUnchanged,omitempty"`
 
 	// Gets or sets a value for `Origin` header rewriting to use in web-forwarding of this
 	// tunnel or port. By default, with this property null or empty, web-forwarding uses
 	// "http(s)://localhost" to rewrite the header. Web-fowarding will use this property
 	// instead if it is not null or empty. Port-level option, if set, takes precedence over
 	// this option on the tunnel level. The option is ignored if IsOriginHeaderUnchanged is
 	// true.
-	OriginHeader                     string `json:"originHeader,omitempty"`
+	OriginHeader                           string `json:"originHeader,omitempty"`
 
 	// Gets or sets a value indicating whether `Origin` header is rewritten or the header
 	// value stays intact. By default, if false, web-forwarding rewrites the origin header
 	// with the value from OriginHeader property or "http(s)://localhost". If true, the
 	// Origin header will be whatever the tunnel's web-forwarding Origin is, e.g.
 	// https://tunnel-name-8080.devtunnels.ms. Port-level option, if set, takes precedence
 	// over this option on the tunnel level.
-	IsOriginHeaderUnchanged          bool `json:"isOriginHeaderUnchanged,omitempty"`
+	IsOriginHeaderUnchanged                bool `json:"isOriginHeaderUnchanged,omitempty"`
 
 	// Gets or sets if inspection is enabled for the tunnel.
-	IsInspectionEnabled              bool `json:"isInspectionEnabled,omitempty"`
+	IsInspectionEnabled                    bool `json:"isInspectionEnabled,omitempty"`
 
 	// Gets or sets a value indicating whether web requests to a tunnel can use the tunnel
 	// web authentication cookie if they come from a different site. Specifically, this
 	// controls whether the tunnel web-forwarding authentication cookie is marked as
 	// SameSite=None. The default is false, which means the cookie is marked as SameSite=Lax.
 	// This only applies to tunnels that require authentication.
-	IsCrossSiteAuthenticationEnabled bool `json:"isCrossSiteAuthenticationEnabled,omitempty"`
+	IsCrossSiteAuthenticationEnabled       bool `json:"isCrossSiteAuthenticationEnabled,omitempty"`
+
+	// Gets or sets a value indicating whether the tunnel web-forwarding authentication
+	// cookie is set as Partitioned (CHIPS). The default is false. This only applies to
+	// tunnels that require authentication.
+	//
+	// A partitioned cookie always also has SameSite=None for compatbility with browsers that
+	// do not support partitioning.
+	IsPartitionedSiteAuthenticationEnabled bool `json:"isPartitionedSiteAuthenticationEnabled,omitempty"`
 }

go/tunnels/tunnels.go

@@ -10,7 +10,7 @@ import (
 	"github.com/rodaine/table"
 )
 
-const PackageVersion = "0.1.15"
+const PackageVersion = "0.1.16"
 
 func (tunnel *Tunnel) requestObject() (*Tunnel, error) {
 	convertedTunnel := &Tunnel{

java/src/main/java/com/microsoft/tunnels/contracts/TunnelOptions.java

@@ -76,4 +76,15 @@ public class TunnelOptions {
      */
     @Expose
     public boolean isCrossSiteAuthenticationEnabled;
+
+    /**
+     * Gets or sets a value indicating whether the tunnel web-forwarding authentication
+     * cookie is set as Partitioned (CHIPS). The default is false. This only applies to
+     * tunnels that require authentication.
+     *
+     * A partitioned cookie always also has SameSite=None for compatbility with browsers
+     * that do not support partitioning.
+     */
+    @Expose
+    public boolean isPartitionedSiteAuthenticationEnabled;
 }

rs/src/contracts/tunnel_options.rs

@@ -60,4 +60,13 @@ pub struct TunnelOptions {
     // SameSite=Lax. This only applies to tunnels that require authentication.
     #[serde(default)]
     pub is_cross_site_authentication_enabled: bool,
+
+    // Gets or sets a value indicating whether the tunnel web-forwarding authentication
+    // cookie is set as Partitioned (CHIPS). The default is false. This only applies to
+    // tunnels that require authentication.
+    //
+    // A partitioned cookie always also has SameSite=None for compatbility with browsers
+    // that do not support partitioning.
+    #[serde(default)]
+    pub is_partitioned_site_authentication_enabled: bool,
 }

ts/src/connections/package.json

@@ -18,8 +18,8 @@
 		"buffer": "^5.2.1",
 		"debug": "^4.1.1",
 		"vscode-jsonrpc": "^4.0.0",
-		"@microsoft/dev-tunnels-contracts": ">1.2.4",
-		"@microsoft/dev-tunnels-management": ">1.2.4",
+		"@microsoft/dev-tunnels-contracts": ">1.2.5",
+		"@microsoft/dev-tunnels-management": ">1.2.5",
 		"@microsoft/dev-tunnels-ssh": "^3.12.5",
 		"@microsoft/dev-tunnels-ssh-tcp": "^3.12.5",
 		"uuid": "^3.3.3",

ts/src/contracts/tunnelOptions.ts

@@ -66,4 +66,14 @@ export interface TunnelOptions {
      * SameSite=Lax. This only applies to tunnels that require authentication.
      */
     isCrossSiteAuthenticationEnabled?: boolean;
+
+    /**
+     * Gets or sets a value indicating whether the tunnel web-forwarding authentication
+     * cookie is set as Partitioned (CHIPS). The default is false. This only applies to
+     * tunnels that require authentication.
+     *
+     * A partitioned cookie always also has SameSite=None for compatbility with browsers
+     * that do not support partitioning.
+     */
+    isPartitionedSiteAuthenticationEnabled?: boolean;
 }

ts/src/management/package.json

@@ -18,7 +18,7 @@
 		"buffer": "^5.2.1",
 		"debug": "^4.1.1",
 		"vscode-jsonrpc": "^4.0.0",
-		"@microsoft/dev-tunnels-contracts": ">1.2.4",
+		"@microsoft/dev-tunnels-contracts": ">1.2.5",
 		"axios": "^1.8.4"
 	}
 }