refactor: unify external auth resolution#31421
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c1b77736c0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review this |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 31e538d06e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f8db315033
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review this |
|
Codex Review: Didn't find any major issues. Nice work! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
85053fa to
ce1f9e4
Compare
| ))); | ||
| } | ||
|
|
||
| login_with_chatgpt_auth_tokens( |
There was a problem hiding this comment.
This was saving tokens to ephemeral storage directly and had normal reload pick them up instead of having external auth bridge be the source of truth.
Summary
External auth had two paths: provider-command credentials were resolved through
ExternalAuth, while app-provided ChatGPT credentials were installed separately and only used the provider for refresh.ExternalAuthalso declared an auth mode independently from theCodexAuthvalue it returned, so the declaration and credentials could disagree.This change makes the provider-owned
CodexAuthauthoritative for initial resolution, credential kind, and refresh.ExternalAuth::auth_modeand require providers to return their current auth fromresolveAuthManager::set_external_authProvider-command auth still follows its configured cache interval. App-provided ChatGPT auth still asks the parent app once after a
401and retries the request once.Stacked on #31355.
Testing
just test -p codex-loginjust test -p codex-models-managercodex-app-servertests for external login/logout, unauthorized refresh, and workspace mismatch