fix(app-server): for external auth, replace id_token with chatgpt_acc… (#11240)

…ount_id and chatgpt_plan_type ### Summary Following up on external auth mode which was introduced here: https://github.com/openai/codex/pull/10012 Turns out some clients have a differently shaped ID token and don't have a chosen workspace (aka chatgpt_account_id) encoded in their ID token. So, let's replace `id_token` param with `chatgpt_account_id` and `chatgpt_plan_type` (optional) when initializing the external ChatGPT auth mode (`account/login/start` with `chatgptAuthTokens`). The client was able to test end-to-end with a Codex build from this branch and verified it worked!
2026-04-27 08:05:51 +00:00 · 2026-02-09 20:48:58 -08:00
parent 168c359b71
commit 53741013ab
20 changed files with 245 additions and 144 deletions
--- a/codex-rs/app-server/tests/common/auth_fixtures.rs
+++ b/codex-rs/app-server/tests/common/auth_fixtures.rs
@@ -11,7 +11,7 @@ use codex_core::auth::AuthCredentialsStoreMode;
 use codex_core::auth::AuthDotJson;
 use codex_core::auth::save_auth;
 use codex_core::token_data::TokenData;
-use codex_core::token_data::parse_id_token;
+use codex_core::token_data::parse_chatgpt_jwt_claims;
 use serde_json::json;

 /// Builder for writing a fake ChatGPT auth.json in tests.
@@ -148,7 +148,7 @@ pub fn write_chatgpt_auth(
    cli_auth_credentials_store_mode: AuthCredentialsStoreMode,
 ) -> Result<()> {
    let id_token_raw = encode_id_token(&fixture.claims)?;
-    let id_token = parse_id_token(&id_token_raw).context("parse id token")?;
+    let id_token = parse_chatgpt_jwt_claims(&id_token_raw).context("parse id token")?;
    let tokens = TokenData {
        id_token,
        access_token: fixture.access_token,