Skip to content

auth: generalize external auth tokens for bearer-only sources#16286

Merged
bolinfest merged 1 commit intomainfrom
pr16286
Mar 31, 2026
Merged

auth: generalize external auth tokens for bearer-only sources#16286
bolinfest merged 1 commit intomainfrom
pr16286

Conversation

@bolinfest
Copy link
Copy Markdown
Collaborator

@bolinfest bolinfest commented Mar 31, 2026
edited
Loading

Summary

ExternalAuthRefresher was still shaped around external ChatGPT auth: ExternalAuthTokens always implied ChatGPT account metadata even when a caller only needed a bearer token.

This PR generalizes that contract so bearer-only sources are first-class, while keeping the existing ChatGPT paths strict anywhere we persist or rebuild ChatGPT auth state.

Motivation

This is the first step toward #15189.

The follow-on provider-auth work needs one shared external-auth contract that can do both of these things:

  • resolve the current bearer token before a request is sent
  • return a refreshed bearer token after a 401

That should not require a second token result type just because there is no ChatGPT account metadata attached.

What Changed

  • change ExternalAuthTokens to carry access_token plus optional ExternalAuthChatgptMetadata
  • add helper constructors for bearer-only tokens and ChatGPT-backed tokens
  • add ExternalAuthRefresher::resolve() with a default no-op implementation so refreshers can optionally provide the current token before a request is sent
  • keep ChatGPT-only persistence strict by continuing to require ChatGPT metadata anywhere the login layer seeds or reloads ChatGPT auth state
  • update the app-server bridge to construct the new token shape for external ChatGPT auth refreshes

Testing

  • cargo test -p codex-login

Stack created with Sapling. Best reviewed with ReviewStack.

This was referenced Mar 31, 2026
Merged
Merged
@bolinfest
Copy link
Copy Markdown
Collaborator Author

bolinfest commented Mar 31, 2026

@codex review

@chatgpt-codex-connector
Copy link
Copy Markdown
Contributor

chatgpt-codex-connector bot commented Mar 31, 2026

Codex Review: Didn't find any major issues. Can't wait for the next one!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@bolinfest bolinfest merged commit ea650a9 into main Mar 31, 2026
43 of 44 checks passed
@bolinfest bolinfest deleted the pr16286 branch March 31, 2026 08:02
@github-actions github-actions bot locked and limited conversation to collaborators Mar 31, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@pakrym-oai pakrym-oai Awaiting requested review from pakrym-oai

@etraut-openai etraut-openai Awaiting requested review from etraut-openai

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bolinfest