mirror of
https://github.com/openai/codex.git
synced 2026-05-01 09:56:37 +00:00
69c8913e24
## Summary This PR adds `CodexAuth::AgentIdentity` as an explicit auth mode. An AgentIdentity auth record is a standalone `auth.json` mode. When `AuthManager::auth().await` loads that mode, it registers one process-scoped task and stores it in runtime-only state on the auth value. Header creation stays synchronous after that because the task is initialized before callers receive the auth object. This PR also removes the old feature flag path. AgentIdentity is selected by explicit auth mode, not by a hidden flag or lazy mutation of ChatGPT auth records. Reference old stack: https://github.com/openai/codex/pull/17387/changes ## Design Decisions - AgentIdentity is a real auth enum variant because it can be the only credential in `auth.json`. - The process task is ephemeral runtime state. It is not serialized and is not stored in rollout/session data. - Account/user metadata needed by existing Codex backend checks lives on the AgentIdentity record for now. - `is_chatgpt_auth()` remains token-specific. - `uses_codex_backend()` is the broader predicate for ChatGPT-token auth and AgentIdentity auth. ## Stack 1. https://github.com/openai/codex/pull/18757: full revert 2. https://github.com/openai/codex/pull/18871: isolated Agent Identity crate 3. This PR: explicit AgentIdentity auth mode and startup task allocation 4. https://github.com/openai/codex/pull/18811: migrate Codex backend auth callsites through AuthProvider 5. https://github.com/openai/codex/pull/18904: accept AgentIdentity JWTs and load `CODEX_AGENT_IDENTITY` ## Testing Tests: targeted Rust checks, cargo-shear, Bazel lock check, and CI.
171 lines
5.3 KiB
Rust
171 lines
5.3 KiB
Rust
use std::path::Path;
|
|
|
|
use anyhow::Context;
|
|
use anyhow::Result;
|
|
use base64::Engine;
|
|
use base64::engine::general_purpose::URL_SAFE_NO_PAD;
|
|
use chrono::DateTime;
|
|
use chrono::Utc;
|
|
use codex_app_server_protocol::AuthMode;
|
|
use codex_config::types::AuthCredentialsStoreMode;
|
|
use codex_login::AuthDotJson;
|
|
use codex_login::save_auth;
|
|
use codex_login::token_data::TokenData;
|
|
use codex_login::token_data::parse_chatgpt_jwt_claims;
|
|
use serde_json::json;
|
|
|
|
/// Builder for writing a fake ChatGPT auth.json in tests.
|
|
#[derive(Debug, Clone)]
|
|
pub struct ChatGptAuthFixture {
|
|
access_token: String,
|
|
refresh_token: String,
|
|
account_id: Option<String>,
|
|
claims: ChatGptIdTokenClaims,
|
|
last_refresh: Option<Option<DateTime<Utc>>>,
|
|
}
|
|
|
|
impl ChatGptAuthFixture {
|
|
pub fn new(access_token: impl Into<String>) -> Self {
|
|
Self {
|
|
access_token: access_token.into(),
|
|
refresh_token: "refresh-token".to_string(),
|
|
account_id: None,
|
|
claims: ChatGptIdTokenClaims::default(),
|
|
last_refresh: None,
|
|
}
|
|
}
|
|
|
|
pub fn refresh_token(mut self, refresh_token: impl Into<String>) -> Self {
|
|
self.refresh_token = refresh_token.into();
|
|
self
|
|
}
|
|
|
|
pub fn account_id(mut self, account_id: impl Into<String>) -> Self {
|
|
self.account_id = Some(account_id.into());
|
|
self
|
|
}
|
|
|
|
pub fn plan_type(mut self, plan_type: impl Into<String>) -> Self {
|
|
self.claims.plan_type = Some(plan_type.into());
|
|
self
|
|
}
|
|
|
|
pub fn chatgpt_user_id(mut self, chatgpt_user_id: impl Into<String>) -> Self {
|
|
self.claims.chatgpt_user_id = Some(chatgpt_user_id.into());
|
|
self
|
|
}
|
|
|
|
pub fn chatgpt_account_id(mut self, chatgpt_account_id: impl Into<String>) -> Self {
|
|
self.claims.chatgpt_account_id = Some(chatgpt_account_id.into());
|
|
self
|
|
}
|
|
|
|
pub fn email(mut self, email: impl Into<String>) -> Self {
|
|
self.claims.email = Some(email.into());
|
|
self
|
|
}
|
|
|
|
pub fn last_refresh(mut self, last_refresh: Option<DateTime<Utc>>) -> Self {
|
|
self.last_refresh = Some(last_refresh);
|
|
self
|
|
}
|
|
|
|
pub fn claims(mut self, claims: ChatGptIdTokenClaims) -> Self {
|
|
self.claims = claims;
|
|
self
|
|
}
|
|
}
|
|
|
|
#[derive(Debug, Clone, Default)]
|
|
pub struct ChatGptIdTokenClaims {
|
|
pub email: Option<String>,
|
|
pub plan_type: Option<String>,
|
|
pub chatgpt_user_id: Option<String>,
|
|
pub chatgpt_account_id: Option<String>,
|
|
}
|
|
|
|
impl ChatGptIdTokenClaims {
|
|
pub fn new() -> Self {
|
|
Self::default()
|
|
}
|
|
|
|
pub fn email(mut self, email: impl Into<String>) -> Self {
|
|
self.email = Some(email.into());
|
|
self
|
|
}
|
|
|
|
pub fn plan_type(mut self, plan_type: impl Into<String>) -> Self {
|
|
self.plan_type = Some(plan_type.into());
|
|
self
|
|
}
|
|
|
|
pub fn chatgpt_user_id(mut self, chatgpt_user_id: impl Into<String>) -> Self {
|
|
self.chatgpt_user_id = Some(chatgpt_user_id.into());
|
|
self
|
|
}
|
|
|
|
pub fn chatgpt_account_id(mut self, chatgpt_account_id: impl Into<String>) -> Self {
|
|
self.chatgpt_account_id = Some(chatgpt_account_id.into());
|
|
self
|
|
}
|
|
}
|
|
|
|
pub fn encode_id_token(claims: &ChatGptIdTokenClaims) -> Result<String> {
|
|
let header = json!({ "alg": "none", "typ": "JWT" });
|
|
let mut payload = serde_json::Map::new();
|
|
if let Some(email) = &claims.email {
|
|
payload.insert("email".to_string(), json!(email));
|
|
}
|
|
let mut auth_payload = serde_json::Map::new();
|
|
if let Some(plan_type) = &claims.plan_type {
|
|
auth_payload.insert("chatgpt_plan_type".to_string(), json!(plan_type));
|
|
}
|
|
if let Some(chatgpt_user_id) = &claims.chatgpt_user_id {
|
|
auth_payload.insert("chatgpt_user_id".to_string(), json!(chatgpt_user_id));
|
|
}
|
|
if let Some(chatgpt_account_id) = &claims.chatgpt_account_id {
|
|
auth_payload.insert("chatgpt_account_id".to_string(), json!(chatgpt_account_id));
|
|
}
|
|
if !auth_payload.is_empty() {
|
|
payload.insert(
|
|
"https://api.openai.com/auth".to_string(),
|
|
serde_json::Value::Object(auth_payload),
|
|
);
|
|
}
|
|
let payload = serde_json::Value::Object(payload);
|
|
|
|
let header_b64 =
|
|
URL_SAFE_NO_PAD.encode(serde_json::to_vec(&header).context("serialize jwt header")?);
|
|
let payload_b64 =
|
|
URL_SAFE_NO_PAD.encode(serde_json::to_vec(&payload).context("serialize jwt payload")?);
|
|
let signature_b64 = URL_SAFE_NO_PAD.encode(b"signature");
|
|
Ok(format!("{header_b64}.{payload_b64}.{signature_b64}"))
|
|
}
|
|
|
|
pub fn write_chatgpt_auth(
|
|
codex_home: &Path,
|
|
fixture: ChatGptAuthFixture,
|
|
cli_auth_credentials_store_mode: AuthCredentialsStoreMode,
|
|
) -> Result<()> {
|
|
let id_token_raw = encode_id_token(&fixture.claims)?;
|
|
let id_token = parse_chatgpt_jwt_claims(&id_token_raw).context("parse id token")?;
|
|
let tokens = TokenData {
|
|
id_token,
|
|
access_token: fixture.access_token,
|
|
refresh_token: fixture.refresh_token,
|
|
account_id: fixture.account_id,
|
|
};
|
|
|
|
let last_refresh = fixture.last_refresh.unwrap_or_else(|| Some(Utc::now()));
|
|
|
|
let auth = AuthDotJson {
|
|
auth_mode: Some(AuthMode::Chatgpt),
|
|
openai_api_key: None,
|
|
tokens: Some(tokens),
|
|
last_refresh,
|
|
agent_identity: None,
|
|
};
|
|
|
|
save_auth(codex_home, &auth, cli_auth_credentials_store_mode).context("write auth.json")
|
|
}
|