Conversation
bolinfest
changed the title
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: be08ad0e4b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| /// Working directory used when running the token command. | ||
| #[serde(default = "default_provider_auth_cwd")] | ||
| #[schemars(skip)] |
There was a problem hiding this comment.
ModelProviderAuthInfo marks cwd with #[schemars(skip)], but the type is still deserialized/serialized and ModelProviderAuthInfo uses additionalProperties: false in the generated schema. This creates a mismatch where valid runtime config (or config emitted by serialization that includes auth.cwd) is treated as invalid by schema-based tooling and editors, which can block users from persisting or validating working provider auth configs.
Useful? React with 👍 / 👎.
bolinfest
force-pushed
the
pr16267
branch
3 times, most recently
from
807527f to
bcacd8d
Compare
bolinfest
force-pushed
the
pr16275
branch
2 times, most recently
from
65a3e63 to
d4cf2fa
Compare
bolinfest
force-pushed
the
pr16267
branch
2 times, most recently
from
056d9e4 to
84ed96f
Compare
|
Closing in favor of #16288. |
1 participant
Summary
Fixes #15189.
Custom model providers that set
requires_openai_auth = falsecould only use static credentials viaenv_keyorexperimental_bearer_token. That is not enough for providers that mint short-lived bearer tokens, because Codex had no way to resolve a provider token dynamically, cache it briefly in memory, and refresh it after a401.This PR adds command-backed provider auth on top of #16277 and #16275. The key design point is that request paths still do not get a second auth abstraction: provider traffic uses a provider-scoped
AuthManager, so both token resolution and401recovery continue to flow throughAuthManager.auth()andUnauthorizedRecovery.Example usage
The command contract is intentionally small:
stdout0What changed
ModelProviderAuthInfoandmodel_providers.<id>.authto the config model and generated schemaenv_key,experimental_bearer_token, andrequires_openai_authcore/src/provider_auth.rs, which implements a command-backedExternalAuthRefresherwith in-memory TTL caching, timeout handling, andcwdsupportAuthManagerinstances used byModelClientandModelsManagerwhen a provider configuresauth, so provider requests use the external bearer source without affecting the base session auth manager/modelsrefresh online for command-auth providers and retry once after401throughUnauthorizedRecoveryauth.cwdavailable as an advanced escape hatch and include it in the generated config schemaTesting
CARGO_TARGET_DIR=/tmp/codex-core-provider-auth cargo check -p codex-coreCARGO_TARGET_DIR=/tmp/codex-core-provider-auth-tests cargo test -p codex-core provider_auth::tests::CARGO_TARGET_DIR=/tmp/codex-core-provider-auth-tests cargo test -p codex-core provider_auth_command_supplies_bearer_tokenCARGO_TARGET_DIR=/tmp/codex-core-provider-auth-tests cargo test -p codex-core provider_auth_command_refreshes_after_401CARGO_TARGET_DIR=/tmp/codex-core-provider-auth-tests cargo test -p codex-core refresh_available_models_refreshes_provider_auth_after_401CARGO_TARGET_DIR=/tmp/codex-core-provider-auth-tests cargo test -p codex-core test_deserialize_provider_auth_config_defaultsCARGO_TARGET_DIR=/tmp/codex-core-provider-auth-tests cargo test -p codex-core rejects_provider_auth_with_env_keyDocs
developers.openai.com/codexshould document the new[model_providers.<id>.auth]block and the token-command contractStack created with Sapling. Best reviewed with ReviewStack.