Rakesh/support device auth

[rakesh-oai]

External (non-OpenAI) Pull Request Requirements

Before opening this Pull Request, please read the dedicated "Contributing" markdown file or your PR may be closed:
https://github.com/openai/codex/blob/main/docs/contributing.md

If your PR conforms to our contribution guidelines, replace this text with a detailed and high quality description of your changes.

test

codex-rs % export CODEX_DEVICE_AUTH_BASE_URL=http://localhost:3007
codex-rs % cargo run --bin codex login --experimental_use-device-code
   Compiling codex-login v0.0.0 (/Users/rakesh/code/codex/codex-rs/login)
   Compiling codex-mcp-server v0.0.0 (/Users/rakesh/code/codex/codex-rs/mcp-server)
   Compiling codex-tui v0.0.0 (/Users/rakesh/code/codex/codex-rs/tui)
   Compiling codex-cli v0.0.0 (/Users/rakesh/code/codex/codex-rs/cli)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 2.90s
     Running `target/debug/codex login --experimental_use-device-code`
To authenticate, enter this code when prompted: 6Q27-KBVRF with interval 5
^C

The error in the last line is since the poll endpoint is not yet implemented

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[chatgpt-codex-connector]

Codex Review: Here are some suggestions.

Reply with @codex fix comments to fix any unresolved comments.

About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".

[chatgpt-codex-connector]

[P1] Include device_code parameters when polling token endpoint

The polling loop sends POST {issuer}/deviceauth/token with JSON body {"client_id":…, "user_code":…}. In the OAuth 2.0 device authorization grant, the token request must be form‑encoded and include the device_code returned from the first step together with grant_type=urn:ietf:params:oauth:grant-type:device_code. Without those fields, a compliant issuer will respond with invalid_request and this login flow can never succeed outside the mocked tests (which ignore the request body). Consider sending the device code and grant type per the spec instead of the user-facing code.

Useful? React with 👍 / 👎.

[rakesh-oai]

@codex fix comments

[chatgpt-codex-connector]

Summary

• Parsed the device authorization response into explicit user_code, interval, and device_code, fail early when the issuer omits device_code, and poll the token endpoint with a spec-compliant form-encoded body that includes the device grant type. codex-rs/login/src/device_code_auth.rsL66-L92
• Updated device code login unit-test fixtures so /devicecode/usercode responses now provide the device_code alongside the existing fields. codex-rs/login/src/server.rsL682-L915
• Adjusted the integration suite’s mock device authorization flows to return device_code values, keeping the tests aligned with the OAuth device code grant requirements. codex-rs/login/tests/suite/device_code_login.rsL47-L303

Testing

• ✅ just fmt
• ✅ just fix -p codex-login
• ✅ cargo test -p codex-login

View task →

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[rakesh-oai]

@codex review the PR

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[chatgpt-codex-connector]

Respect issuer when requesting device codes

The new device-code flow constructs the user-code endpoint with a hard-coded http://localhost:3007 instead of using the ServerOptions.issuer that the caller provides. As a result the CLI will always attempt to contact a local server regardless of configuration, and will fail outright in real deployments (e.g., the default https://auth.openai.com issuer or any overridden URL). The commented-out line shows the intended behavior; the current implementation makes the feature unusable.

Useful? React with 👍 / 👎.

[rakesh-oai]

@codex review this PR

[chatgpt-codex-connector]

💡 Codex Review

codex/codex-rs/login/src/device_code_auth.rs

Lines 126 to 134 in 375e31a

	if resp.status().is_success() {
	let code_resp: CodeSuccessResp = resp.json().await.map_err(std::io::Error::other)?;
	let tokens = exchange_device_code_for_tokens(
	&client,
	&opts.issuer,
	&opts.client_id,
	&code_resp.code,
	)
	.await?;

[P1] Deserialize deviceauth success payload into tokens

When the polling request succeeds, the implementation assumes the body contains a device_code and performs a second /oauth/token exchange. The newly added tests stub /deviceauth/token to return the final id_token/access_token/refresh_token, which matches the typical device-code flow where the poll endpoint itself yields tokens. Deserializing into CodeSuccessResp will fail with missing field device_code and the login will error even after the user has authorized. The success branch should read the token fields directly (or handle both shapes) rather than unconditionally requiring a second exchange.

---

codex/codex-rs/login/src/device_code_auth.rs

Lines 153 to 168 in 375e31a

	// Try to parse an error payload; if it's token_pending, sleep and retry
	let status = resp.status();
	if status == StatusCode::NOT_FOUND {
	let elapsed = start.elapsed();
	if elapsed >= max_wait {
	return Err(std::io::Error::other(
	"device auth timed out after 15 minutes",
	));
	}
	let remaining = max_wait - elapsed;
	let sleep_for = Duration::from_secs(interval).min(remaining);
	tokio::time::sleep(sleep_for).await;
	continue;
	} else {
	return Err(std::io::Error::other(format!(
	"device auth failed with status {status}"

[P1] Treat token_pending errors as retryable

Polling only retries when the HTTP status is 404; all other non‑2xx statuses are treated as fatal. The device-code tests model the common behavior of returning 400 with an error payload such as { "error": "token_pending" } while the user is still authorizing. With the current logic a normal pending response will surface device auth failed with status 400 and abort the flow immediately. The loop should parse the error body and continue polling on token_pending (and optionally slow_down) rather than special‑casing 404.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[pakrym-oai]

why id this value coming in different data types?

[rakesh-oai]

this is coming in as string, let me simplify this code.

[pakrym-oai]

should this change the entire issuer address instead?

[rakesh-oai]

Oh nvm, I missed the part that I introduced commandline option, this is redundent I will delete this.

[pakrym-oai]

Can we use strongly typed struct for all request responses?

[pakrym-oai]

nit: this method can be split up

[rakesh-oai]

I split the function into multiple smaller functions.

[pakrym-oai]

Do we need this?

[rakesh-oai]

This is what we are doing for auth callback in regular chatgpt sign up

[rakesh-oai]

https://github.com/openai/codex/blob/main/codex-rs/login/src/server.rs#L235

[pakrym-oai]

That's the old flow we don't use anymore, doesn't matter for device login.

[pakrym-oai]

Sorry for the late nit:

Suggested change

	issuer: Option<String>,
	issuer_base_url: Option<String>,

[pakrym-oai]

Do we need these lifetimes? Can we go with Strings as properties and simplify.

nit: consider Request/Response suffixes.

[pakrym-oai]

why alias, can the field be device_code ?

[pakrym-oai]

nit: we might want to improve this copy

[pakrym-oai]

should this message be before the call?

[pakrym-oai]

we do not need to do this.

[pakrym-oai]

nit:rem

[pakrym-oai]

Nice work!

[rakesh-oai]

@codex review the PR

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[chatgpt-codex-connector]

Use existing issuer_base_url field when invoking device login

The new device-code branch calls run_login_with_device_code(login_cli.config_overrides, login_cli.issuer) even though LoginCommand only defines issuer_base_url. Because no issuer field exists on LoginCommand, this code path does not compile. Pass the issuer_base_url option (or add the field) so the CLI builds.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Serialize owned strings in device auth request payloads

Both request_user_code and poll_for_token construct UserCodeReq { client_id } / TokenPollReq { client_id, user_code } where the structs declare String fields but the variables are &str. This mismatched ownership prevents the crate from compiling. Convert the borrowed values to String (e.g. client_id.to_owned()) before serializing. The same issue appears again when building TokenPollReq a few lines below.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Access nonexistent field in device code exchange

CodeSuccessResp defines authorization_code, but the login flow passes &code_resp.code to exchange_code_for_tokens. Because code is not a struct field, the file does not compile. Use the defined authorization_code (or rename the struct field to match the API payload).

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Device code login never exchanges tokens for an API key

After the device flow obtains tokens it calls persist_tokens_async with api_key set to None and returns. Unlike the browser-based login, obtain_api_key is never invoked, so no API key is stored and mocked integration tests expecting a second /oauth/token call will fail. Without persisting the API key the CLI cannot authenticate subsequent requests. Consider exchanging the ID token for an API key before saving credentials.

Useful? React with 👍 / 👎.

[rakesh-oai]

I have read the CLA Document and I hereby sign the CLA