Add getIdentityToken() for retrieving Workbench identity tokens

NAMESPACE

@@ -43,6 +43,7 @@ export(getActiveDocumentContext)
 export(getActiveProject)
 export(getConsoleEditorContext)
 export(getDelegatedAzureToken)
+export(getIdentityToken)
 export(getMode)
 export(getOAuthCredentials)
 export(getOAuthIntegration)

NEWS.md

@@ -2,6 +2,8 @@
 
 * `rstudioapi::documentNew()` now accepts arbitrary document types. (#316)
 
+* Added `getIdentityToken()` for retrieving the current user's identity token
+  on Posit Workbench, if possible.
 
 # rstudioapi 0.17.1
 

R/auth.R

@@ -51,6 +51,38 @@ getDelegatedAzureToken <- function(resource) {
   response$token
 }
 
+#' Get the User's Identity Token
+#'
+#' Retrieve the user's OpenID Connect identity token for the current Posit
+#' Workbench session, if any. This token can be used to authenticate with
+#' services that trust Workbench's identity provider.
+#'
+#' @return A list containing:
+#' \describe{
+#'   \item{token}{The identity token string.}
+#'   \item{expiry}{The token expiry time as a POSIXct datetime object.}
+#' }
+#' Throws an error if the token cannot be retrieved.
+#'
+#' @note This function works for any IDE running within a Posit Workbench
+#'   session, not just RStudio.
+#'
+#' @export
+getIdentityToken <- function() {
+  assertWorkbenchSession()
+
+  response <- callWorkbenchRPC(
+    method = "id_token",
+    body = list(),
+    error_context = "retrieving identity token"
+  )
+
+  list(
+    token = response$token,
+    expiry = as.POSIXct(response$expiry, format = "%Y-%m-%dT%H:%M:%OS", tz = "UTC")
+  )
+}
+
 #' Retrieve OAuth Credentials for Integrations
 #'
 #' Retrieve OAuth credentials for a configured OAuth integration in Posit Workbench.
@@ -335,7 +367,7 @@ assertWorkbenchSession <- function() {
     return(invisible(NULL))
   }
 
-  stop("OAuth functionality is only available within Posit Workbench sessions.")
+  stop("This functionality is only available within Posit Workbench sessions.")
 }
 
 # Internal helper to assert version requirement

_pkgdown.yml

@@ -90,6 +90,7 @@ reference:
     - findOAuthIntegration
     - getOAuthCredentials
     - getDelegatedAzureToken
+    - getIdentityToken
 
   - title    : Themes
     desc     : Work with RStudio editor themes.

tests/testthat/test-oauth.R

@@ -6,17 +6,17 @@ test_that("OAuth functions fail gracefully outside Workbench", {
 
   expect_error(
     getOAuthCredentials("4c1cfecb-1927-4f19-bc2f-d8ac261364e0"),
-    "OAuth functionality is only available within Posit Workbench sessions"
+    "This functionality is only available within Posit Workbench sessions"
   )
 
   expect_error(
     getOAuthIntegrations(),
-    "OAuth functionality is only available within Posit Workbench sessions"
+    "This functionality is only available within Posit Workbench sessions"
   )
 
   expect_error(
     getOAuthIntegration("test-guid"),
-    "OAuth functionality is only available within Posit Workbench sessions"
+    "This functionality is only available within Posit Workbench sessions"
   )
 })
 
@@ -109,3 +109,28 @@ test_that("getOAuthCredentials validates GUID format", {
     "audience must be a valid GUID"
   )
 })
+
+test_that("getIdentityToken fails gracefully outside Workbench", {
+  withr::local_envvar(
+    POSIT_PRODUCT = NA,
+    RS_SERVER_ADDRESS = NA
+  )
+
+  expect_error(
+    getIdentityToken(),
+    "This functionality is only available within Posit Workbench sessions"
+  )
+})
+
+test_that("getIdentityToken handles missing RPC cookie", {
+  withr::local_envvar(
+    RS_SERVER_ADDRESS = "http://localhost:8787",
+    RS_SESSION_RPC_COOKIE = NA,
+    PWB_SESSION_RUNTIME_DIR = NA
+  )
+
+  expect_error(
+    getIdentityToken(),
+    "RPC cookie not found"
+  )
+})