Skip to content

feat: load AgentIdentity from JWT env#18904

Open
efrazer-oai wants to merge 1 commit intodev/efrazer/agent-identity-auth-callersfrom
dev/efrazer/agent-identity-env-jwt
Open

feat: load AgentIdentity from JWT env#18904
efrazer-oai wants to merge 1 commit intodev/efrazer/agent-identity-auth-callersfrom
dev/efrazer/agent-identity-env-jwt

Conversation

@efrazer-oai
Copy link
Copy Markdown
Contributor

@efrazer-oai efrazer-oai commented Apr 21, 2026

Summary

This PR lets programmatic AgentIdentity users paste one token into the environment or auth.json.

auth.json.agent_identity now accepts either the normal object form or a JWT string. The JWT is decoded into the same AgentIdentityAuthRecord used by the explicit CodexAuth::AgentIdentity mode.

When env auth is enabled, CODEX_AGENT_IDENTITY can provide that same JWT without writing auth state to disk. CODEX_API_KEY still wins if both env vars are set.

Reference old stack: https://github.com/openai/codex/pull/17387/changes
Reference JWT/env stack: #18176

Stack

  1. fix: fully revert agent identity runtime wiring #18757: full revert
  2. refactor: add agent identity crate #18871: isolated Agent Identity crate
  3. feat: add explicit AgentIdentity auth mode #18785: explicit AgentIdentity auth mode and startup task allocation
  4. refactor: route Codex auth through AuthProvider #18811: migrate Codex backend auth callsites through AuthProvider
  5. This PR: accept AgentIdentity JWTs and load CODEX_AGENT_IDENTITY

Testing

Tests: targeted Rust checks for AgentIdentity JWT/env loading and CI.

This was referenced Apr 21, 2026
Open
Open
Open
@efrazer-oai efrazer-oai requested a review from pakrym-oai April 21, 2026 23:13
@efrazer-oai efrazer-oai marked this pull request as ready for review April 21, 2026 23:13
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-auth-callers branch from db51937 to f15803b Compare April 21, 2026 23:19
@efrazer-oai efrazer-oai requested a review from a team as a code owner April 21, 2026 23:19
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-env-jwt branch from ca0aeac to 0d52d99 Compare April 21, 2026 23:21
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

codex/codex-rs/login/src/auth/manager.rs

Lines 1023 to 1030 in ca0aeac

fn resolved_mode(&self) -> ApiAuthMode {
if let Some(mode) = self.auth_mode {
return mode;
}
if self.openai_api_key.is_some() {
return ApiAuthMode::ApiKey;
}
ApiAuthMode::Chatgpt

P1 Badge Infer AgentIdentity mode when agent_identity is present

The new JWT/object deserialization for auth.json.agent_identity is ineffective unless auth_mode is also set, because resolved_mode() ignores agent_identity. A JWT-only auth.json falls back to Chatgpt mode and later behaves as missing token auth, which contradicts the “paste one token into auth.json” flow introduced here.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-auth-callers branch from f15803b to ae57449 Compare April 21, 2026 23:52
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-env-jwt branch from 0d52d99 to 455f6d5 Compare April 21, 2026 23:54
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-auth-callers branch 2 times, most recently from ec85840 to d343533 Compare April 22, 2026 01:04
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-env-jwt branch from 455f6d5 to fdfad31 Compare April 22, 2026 01:06
@efrazer-oai
Copy link
Copy Markdown
Contributor Author

efrazer-oai commented Apr 22, 2026

💡 Codex Review

codex/codex-rs/login/src/auth/manager.rs

Lines 1023 to 1030 in ca0aeac

fn resolved_mode(&self) -> ApiAuthMode {
if let Some(mode) = self.auth_mode {
return mode;
}
if self.openai_api_key.is_some() {
return ApiAuthMode::ApiKey;
}
ApiAuthMode::Chatgpt

P1 Badge Infer AgentIdentity mode when agent_identity is present
The new JWT/object deserialization for auth.json.agent_identity is ineffective unless auth_mode is also set, because resolved_mode() ignores agent_identity. A JWT-only auth.json falls back to Chatgpt mode and later behaves as missing token auth, which contradicts the “paste one token into auth.json” flow introduced here.

ℹ️ About Codex in GitHub

Disagree here, we should absolutely set auth_mode if we're copy-pasting in auth.json as the structure is tagged. If we're doing env variable, we don't break.

@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-auth-callers branch from d343533 to 74c78b4 Compare April 22, 2026 01:10
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-env-jwt branch from fdfad31 to a87f5e0 Compare April 22, 2026 01:10
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-auth-callers branch from 74c78b4 to ae23fca Compare April 22, 2026 01:13
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-env-jwt branch from a87f5e0 to b7a4275 Compare April 22, 2026 01:13
@github-actions github-actions Bot mentioned this pull request Apr 22, 2026
Open
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-auth-callers branch from ae23fca to bccee32 Compare April 22, 2026 01:19
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-env-jwt branch from b7a4275 to 7bbbecd Compare April 22, 2026 01:19
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-auth-callers branch from bccee32 to 160793a Compare April 22, 2026 01:23
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-env-jwt branch from 7bbbecd to c305e9e Compare April 22, 2026 01:24
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-auth-callers branch from 160793a to df5a2df Compare April 22, 2026 01:37
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-env-jwt branch from c305e9e to 8afc806 Compare April 22, 2026 01:38
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-auth-callers branch from df5a2df to ed51cb2 Compare April 22, 2026 01:41
@efrazer-oai efrazer-oai force-pushed the dev/efrazer/agent-identity-env-jwt branch from 8afc806 to f195c46 Compare April 22, 2026 01:41
pakrym-oai
pakrym-oai reviewed Apr 22, 2026
View reviewed changes
Comment thread codex-rs/login/src/auth/storage.rs
#[serde(
default,
skip_serializing_if = "Option::is_none",
deserialize_with = "deserialize_agent_identity"
Copy link
Copy Markdown
Collaborator

@pakrym-oai pakrym-oai Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why are we not storing in a consistent format?

pakrym-oai
pakrym-oai reviewed Apr 22, 2026
View reviewed changes
Comment thread codex-rs/login/src/auth/storage.rs
}

#[derive(Deserialize)]
struct AgentIdentityJwtClaims {
Copy link
Copy Markdown
Collaborator

@pakrym-oai pakrym-oai Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can this go into agent identity crate?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@pakrym-oai pakrym-oai pakrym-oai left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@efrazer-oai @pakrym-oai