Skip to content

Codex Desktop does not detect expired OAuth login state for plugin apps #31385

Description

@CxMYu

What version of the Codex App are you using (From “About Codex” dialog)?

Codex Desktop 26.623.19656.0

What subscription do you have?

Redacted / not relevant to the bug.

What platform is your computer?

Windows x64. Exact OS build omitted.

What issue are you seeing?

OAuth-backed plugin apps can silently lose their login/authentication state, but Codex Desktop does not appear to detect or surface this state.

When the OAuth session/token for a plugin-backed app expires, is revoked, or otherwise becomes invalid:

  • The plugin may still appear installed/enabled.
  • Codex may continue to expose the plugin capability as if it is usable.
  • The app does not clearly show that re-authentication is required.
  • The user only discovers the problem indirectly when plugin calls fail, hang, disappear, or behave as unavailable.
  • There is no obvious stale-auth indicator, reconnect prompt, or plugin-level login health check in the Codex app UI.

This makes OAuth/plugin failures look like random plugin, MCP, or thread-state bugs instead of a normal expired-login condition.

What steps can reproduce the bug?

  1. Install or enable a Codex Desktop plugin that uses OAuth login.
  2. Complete the OAuth login flow successfully.
  3. Confirm the plugin works in a Codex thread.
  4. Invalidate the OAuth session externally, for example by revoking access, expiring the token, changing account permissions, or waiting until the login expires.
  5. Return to Codex Desktop.
  6. Observe that Codex still appears unaware of the invalid OAuth state.
  7. Attempt to use the plugin again.

Actual behavior:

  • Codex does not proactively mark the plugin as unauthenticated.
  • The UI does not clearly prompt the user to reconnect.
  • Existing or resumed threads may continue to show stale plugin availability.
  • The failure is only visible later through tool/plugin errors or missing capabilities.

What is the expected behavior?

Codex Desktop should detect and surface expired OAuth state for plugin apps.

Expected behavior:

  • Plugin status should distinguish installed/enabled from authenticated/usable.
  • If OAuth is expired or revoked, Codex should show a clear "Re-authenticate" or "Reconnect" action.
  • Threads should not silently continue with stale plugin auth assumptions.
  • Plugin/MCP calls should return a clear auth-expired error instead of appearing as generic plugin failure.
  • Restarting Codex or starting a new thread should not be required just to discover that OAuth has expired.

Additional information

Please treat this as a plugin authentication state / UX issue, not a user account-specific report. Personal account details, tokens, machine names, local paths, and session IDs are intentionally omitted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    appIssues related to the Codex desktop appauthIssues related to authentication and accountsbugSomething isn't workingskillsIssues related to skills

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions