refactor: route Codex auth through AuthProvider#18811
Merged
efrazer-oai merged 3 commits intomainfrom Apr 24, 2026
Merged
Conversation
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
af22d58 to
d21eaed
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-runtime
branch
from
86413e2 to
0b61c82
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
d21eaed to
52b5ad3
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-runtime
branch
from
0b61c82 to
52e547c
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: af22d58d06
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
52b5ad3 to
b51b093
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-runtime
branch
from
b4f801e to
b718d3e
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
b51b093 to
f5befea
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-runtime
branch
from
b718d3e to
b23a44f
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
f5befea to
690d32a
Compare
Contributor
There was a problem hiding this comment.
💡 Codex Review
codex/codex-rs/chatgpt/src/connectors.rs
Lines 27 to 31 in 690d32a
Use config-backed auth manager when checking Apps auth
apps_enabled() now treats AgentIdentity as valid (uses_codex_backend), but it still builds auth with AuthManager::shared(...), which does not pass config.chatgpt_base_url. AgentIdentity runtime init can then target the default backend and fail in non-default deployments, causing this early gate to return false and skip connectors despite valid auth.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-runtime
branch
from
b23a44f to
4c2b315
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
efc466e to
37f3339
Compare
This was referenced Apr 21, 2026
efrazer-oai
changed the title
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-runtime
branch
from
4c2b315 to
be0d99c
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
37f3339 to
dc19ee2
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-runtime
branch
from
be0d99c to
0881c58
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
dc19ee2 to
6784881
Compare
pakrym-oai
reviewed
Apr 22, 2026
| let token_data = | ||
| get_chatgpt_token_data().ok_or_else(|| anyhow::anyhow!("ChatGPT token not available"))?; | ||
| let cache_key = all_connectors_cache_key(config, &token_data); | ||
| let auth_manager = |
Collaborator
There was a problem hiding this comment.
we added a bit of boilerplate by removing init_chatgpt_token_from_auth. anyting worth doing?
Contributor
Author
There was a problem hiding this comment.
I added a different type of helper for this to avoid repetition; i think reasoning about the Auth object is easier than the OnceLock we had for auth data which felt a bit hidden.
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
2 times, most recently
from
df5a2df to
ed51cb2
Compare
pakrym-oai
reviewed
Apr 22, 2026
| .map_err(std::io::Error::other) | ||
| }) | ||
| } | ||
| CodexAuth::ApiKey(_) => self.auth.api_key().map_or_else( |
Collaborator
There was a problem hiding this comment.
why does this partially reimplement bearer provider? can we add a separate provider for model identity and reuse bearer when appropriate/
pakrym-oai
reviewed
Apr 22, 2026
| }) | ||
| } | ||
|
|
||
| pub fn is_workspace_account(&self) -> bool { |
Collaborator
There was a problem hiding this comment.
don't we already have this logic somewhere?
Contributor
Author
There was a problem hiding this comment.
Extracted it out into a helper under plan_type
pakrym-oai
reviewed
Apr 22, 2026
| &self.record | ||
| } | ||
|
|
||
| pub fn process_task_id(&self) -> Option<&str> { |
Collaborator
There was a problem hiding this comment.
both pub field and pub method?
Contributor
Author
There was a problem hiding this comment.
Fixed, only pub getter now
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
ed51cb2 to
40daf07
Compare
efrazer-oai
added a commit
that referenced
this pull request
Apr 22, 2026
## Summary This PR adds `codex-agent-identity` as an isolated crate for Agent Identity business logic. The crate owns: - AgentAssertion construction. - Agent task registration. - private-key assertion signing. - bounded blocking HTTP for task registration. It does not wire AgentIdentity into `auth.json`, `AuthManager`, rollout state, or request callsites. That integration happens in later PRs. Reference old stack: https://github.com/openai/codex/pull/17387/changes ## Stack 1. #18757: full revert 2. This PR: isolated Agent Identity crate 3. #18785: explicit AgentIdentity auth mode and startup task allocation 4. #18811: migrate Codex backend auth callsites through AuthProvider 5. #18904: accept AgentIdentity JWTs and load `CODEX_AGENT_IDENTITY` ## Testing Tests: targeted Rust checks, cargo-shear, Bazel lock check, and CI.
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
40daf07 to
06285d7
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-runtime
branch
from
ce246ec to
cb93ab0
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
06285d7 to
b7bde9c
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-runtime
branch
from
cb93ab0 to
316a875
Compare
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
b7bde9c to
a457bb3
Compare
efrazer-oai
added a commit
that referenced
this pull request
Apr 22, 2026
## Summary This PR adds `CodexAuth::AgentIdentity` as an explicit auth mode. An AgentIdentity auth record is a standalone `auth.json` mode. When `AuthManager::auth().await` loads that mode, it registers one process-scoped task and stores it in runtime-only state on the auth value. Header creation stays synchronous after that because the task is initialized before callers receive the auth object. This PR also removes the old feature flag path. AgentIdentity is selected by explicit auth mode, not by a hidden flag or lazy mutation of ChatGPT auth records. Reference old stack: https://github.com/openai/codex/pull/17387/changes ## Design Decisions - AgentIdentity is a real auth enum variant because it can be the only credential in `auth.json`. - The process task is ephemeral runtime state. It is not serialized and is not stored in rollout/session data. - Account/user metadata needed by existing Codex backend checks lives on the AgentIdentity record for now. - `is_chatgpt_auth()` remains token-specific. - `uses_codex_backend()` is the broader predicate for ChatGPT-token auth and AgentIdentity auth. ## Stack 1. #18757: full revert 2. #18871: isolated Agent Identity crate 3. This PR: explicit AgentIdentity auth mode and startup task allocation 4. #18811: migrate Codex backend auth callsites through AuthProvider 5. #18904: accept AgentIdentity JWTs and load `CODEX_AGENT_IDENTITY` ## Testing Tests: targeted Rust checks, cargo-shear, Bazel lock check, and CI.
Base automatically changed from
dev/efrazer/agent-identity-auth-runtime
to
main
April 22, 2026 05:33
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
from
a457bb3 to
6c03831
Compare
pakrym-oai
reviewed
Apr 22, 2026
| } | ||
| } | ||
|
|
||
| pub fn empty() -> Self { |
Collaborator
There was a problem hiding this comment.
why would we ever construct empty?
pakrym-oai
reviewed
Apr 22, 2026
| retry_suffix_after_or(self.resets_at.as_ref()) | ||
| ), | ||
| Some(PlanType::Known( | ||
| Some(PlanType::Known(plan)) => match plan { |
Collaborator
There was a problem hiding this comment.
let's not churn this logic unless needed.
pakrym-oai
reviewed
Apr 22, 2026
| | Self::Enterprise | ||
| | Self::Edu | ||
| ) | ||
| self.is_team_like() |
Collaborator
There was a problem hiding this comment.
do we need to change this?
pakrym-oai
reviewed
Apr 22, 2026
| } | ||
|
|
||
| impl KnownPlan { | ||
| pub fn is_team_like(self) -> bool { |
Collaborator
There was a problem hiding this comment.
why do we have these methods in so many places? on KnownPlan and on PlanType
pakrym-oai
approved these changes
Apr 22, 2026
efrazer-oai
force-pushed
the
dev/efrazer/agent-identity-auth-callers
branch
4 times, most recently
from
d339b11 to
ece4453
Compare
morozow
pushed a commit
to morozow/codex
that referenced
this pull request
Apr 23, 2026
## Summary This PR fully reverts the previously merged Agent Identity runtime integration from the old stack: https://github.com/openai/codex/pull/17387/changes It removes the Codex-side task lifecycle wiring, rollout/session persistence, feature flag plumbing, lazy `auth.json` mutation, background task auth paths, and request callsite changes introduced by that stack. This leaves the repo in a clean pre-AgentIdentity integration state so the follow-up PRs can reintroduce the pieces in smaller reviewable layers. ## Stack 1. This PR: full revert 2. openai#18871: move Agent Identity business logic into a crate 3. openai#18785: add explicit AgentIdentity auth mode and startup task allocation 4. openai#18811: migrate auth callsites through AuthProvider ## Testing Tests: targeted Rust checks, cargo-shear, Bazel lock check, and CI.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR moves Codex backend request authentication from direct bearer-token handling to
AuthProvider.The new
codex-auth-providercrate defines the shared request-auth trait.CodexAuth::provider()returns a provider that can apply all headers needed for the selected auth mode.This lets ChatGPT token auth and AgentIdentity auth share the same callsite path:
Reference old stack: https://github.com/openai/codex/pull/17387/changes
Callsite Migration
AuthProviderinstead of a raw token/headerCodexAuth::provider()uses_codex_backend()and keys caches from generic account gettersStack
CODEX_AGENT_IDENTITYTesting
Tests: targeted Rust checks, cargo-shear, Bazel lock check, and CI.