refactor: make auth loading async (#19762)

## Summary Auth loading used to expose synchronous construction helpers in several places even though some auth sources now need async work. This PR makes the auth-loading surface async and updates the callers to await it. This is intentionally only plumbing. It does not change how AgentIdentity tokens are decoded, how task runtime ids are allocated, or how JWT signatures are verified. ## Stack 1. **This PR:** [refactor: make auth loading async](https://github.com/openai/codex/pull/19762) 2. [refactor: load AgentIdentity runtime eagerly](https://github.com/openai/codex/pull/19763) 3. [feat: verify AgentIdentity JWTs with JWKS](https://github.com/openai/codex/pull/19764) ## Important call sites | Area | Change | | --- | --- | | `codex-login` auth loading | `CodexAuth` and `AuthManager` construction paths now await auth loading. | | app-server startup | Auth manager construction is awaited during initialization. | | CLI/TUI/exec/MCP/chatgpt callers | Existing auth-loading calls now await the same behavior. | | cloud requirements storage loader | The loader becomes async so it can share the same auth construction path. | | auth tests | Tests that load auth now run in async contexts. | ## Testing Tests: targeted Rust auth test compilation, formatter, scoped Clippy fix, and Bazel lock check.
2026-05-05 22:01:37 +03:00 · 2026-04-27 11:00:27 -07:00
parent 4ed22fc7d2
commit 2009f6e894
25 changed files with 291 additions and 203 deletions
--- a/codex-rs/tui/src/lib.rs
+++ b/codex-rs/tui/src/lib.rs
@@ -795,7 +795,8 @@ pub async fn run_main(
        /*enable_codex_api_key_env*/ false,
        config_toml.cli_auth_credentials_store.unwrap_or_default(),
        chatgpt_base_url,
-    );
+    )
+    .await;

    let model_provider_override = if cli.oss {
        let resolved = resolve_oss_provider(
@@ -895,7 +896,9 @@ pub async fn run_main(
            auth_credentials_store_mode: config.cli_auth_credentials_store_mode,
            forced_login_method: config.forced_login_method,
            forced_chatgpt_workspace_id: config.forced_chatgpt_workspace_id.clone(),
-        }) {
+        })
+        .await
+        {
            eprintln!("{err}");
            std::process::exit(1);
        }
@@ -1166,7 +1169,8 @@ async fn run_ratatui_app(
                /*enable_codex_api_key_env*/ false,
                initial_config.cli_auth_credentials_store_mode,
                initial_config.chatgpt_base_url.clone(),
-            );
+            )
+            .await;
        }

        // If the user made an explicit trust decision, or we showed the login flow, reload config
--- a/codex-rs/tui/src/onboarding/auth.rs
+++ b/codex-rs/tui/src/onboarding/auth.rs
@@ -986,7 +986,8 @@ mod tests {
                /*enable_codex_api_key_env*/ false,
                AuthCredentialsStoreMode::File,
                "https://chatgpt.com/backend-api/".to_string(),
-            ),
+            )
+            .await,
            feedback: codex_feedback::CodexFeedback::new(),
            log_db: None,
            environment_manager: Arc::new(