`opencode web` behind a reverse proxy: OAuth callbacks should use the external URL, not `localhost:1455`

[thepiwo]

Description

When opencode web is run behind a reverse proxy (e.g. exposed at
https://opencode.example.com), OAuth flows that rely on a callback URL
cannot complete. The codex plugin (ChatGPT subscription auth) starts a
side-listener on 127.0.0.1:1455 (packages/opencode/src/plugin/codex.ts,
OAUTH_PORT = 1455) and uses
redirect_uri=http://localhost:1455/auth/callback. The browser running the
auth flow is on the user's own machine, not the opencode server, so:

• The redirect lands on the user's localhost:1455, where nothing is
  listening.
• The listener inside the opencode container binds to loopback, so even if
  Docker -p 1455:1455 were added, it can't be reached. SSH tunnels also
  fail unless the bind is 0.0.0.0 and ports are published — none of which
  is reasonable to ask web-UI users to set up per-session.
• The headless/device-code mode added in 1.14.x works for some, but is
  blocked by SSO/IdP policies in some orgs.

Proposed change

For opencode web deployments, the OAuth callback should be served by the
opencode web server itself, at the externally-reachable URL the user is
already using:

1. Public URL config, e.g. env var OPENCODE_PUBLIC_URL (or config field
   server.publicUrl). Could also be auto-detected from the request that
   initiated the OAuth flow (X-Forwarded-Host / X-Forwarded-Proto or
   Host).
2. Serve the callback on the web server, not a side-listener. When
   OPENCODE_PUBLIC_URL is set, OAuth flows started from the web UI use
   ${OPENCODE_PUBLIC_URL}/auth/callback as redirect_uri and the opencode
   web server (port 4096) handles that path, replacing the
   localhost:1455 listener for this deployment mode.

External constraint

Per #8798's investigation, the OpenAI OAuth client used by opencode has its
redirect URI locked to http://localhost:1455/auth/callback. Making the
above usable for ChatGPT auth requires one of:

• Registering additional URIs / a wildcard with OpenAI on opencode's OAuth
  app.
• An opencode-hosted relay endpoint that accepts the callback and forwards
  the code to the user-supplied URL via state (similar to how some OAuth
  proxies work).

Other providers (Anthropic, GitHub Copilot) already work fine via paste-code
/ device-code and aren't affected.

Use case

Self-hosted opencode web in Docker behind a reverse proxy at a public URL;
shared by one or more users from their normal browser. OAuth must complete
without SSH tunnels, port forwarding, or copying auth.json from a
workstation.

Related

• /connect doesnt work for openai when server is remote #8274
• Unable to authenticate ChatGPT with OpenCode web when it's being reverse proxied #8798
• bug: OAuth uses wrong authorization URL and missing redirectUri config #5766
• [FEATURE]: Allow custom OAuth redirect URI configuration for MCP servers #7377

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• Unable to authenticate ChatGPT with OpenCode web when it's being reverse proxied #8798: Same root cause — ChatGPT OAuth callback failing when opencode web is behind a reverse proxy. This issue was closed; if it wasn't resolved, it may be worth continuing the discussion there or linking back to it.
• WSL2/devcontainer: MCP OAuth callback unreachable from host browser (Sentry) #9081: Related — MCP OAuth callback unreachable from host browser in WSL2/container environments (similar callback listener reachability problem).

If this is intentionally a follow-up or continuation of #8798 with a new proposal, please mention that in the issue for clarity.