refactor: route Codex auth through AuthProvider (#18811)

mirror of https://github.com/openai/codex.git synced 2026-05-04 13:21:54 +03:00

## Summary

This PR moves Codex backend request authentication from direct
bearer-token handling to `AuthProvider`.

The new `codex-auth-provider` crate defines the shared request-auth
trait. `CodexAuth::provider()` returns a provider that can apply all
headers needed for the selected auth mode.

This lets ChatGPT token auth and AgentIdentity auth share the same
callsite path:
- ChatGPT token auth applies bearer auth plus account/FedRAMP headers
where needed.
- AgentIdentity auth applies AgentAssertion plus account/FedRAMP headers
where needed.

Reference old stack: https://github.com/openai/codex/pull/17387/changes

## Callsite Migration

| Area | Change |
| --- | --- |
| backend-client | accepts an `AuthProvider` instead of a raw
token/header |
| chatgpt client/connectors | applies auth through
`CodexAuth::provider()` |
| cloud tasks | keeps Codex-backend gating, applies auth through
provider |
| cloud requirements | uses Codex-backend auth checks and provider
headers |
| app-server remote control | applies provider headers for backend calls
|
| MCP Apps/connectors | gates on `uses_codex_backend()` and keys caches
from generic account getters |
| model refresh | treats AgentIdentity as Codex-backend auth |
| OpenAI file upload path | rejects non-Codex-backend auth before
applying headers |
| core client setup | keeps model-provider auth flow and allows
AgentIdentity through provider-backed OpenAI auth |

## Stack

1. https://github.com/openai/codex/pull/18757: full revert
2. https://github.com/openai/codex/pull/18871: isolated Agent Identity
crate
3. https://github.com/openai/codex/pull/18785: explicit AgentIdentity
auth mode and startup task allocation
4. This PR: migrate Codex backend auth callsites through AuthProvider
5. https://github.com/openai/codex/pull/18904: accept AgentIdentity JWTs
and load `CODEX_AGENT_IDENTITY`

## Testing

Tests: targeted Rust checks, cargo-shear, Bazel lock check, and CI.

This commit is contained in:

efrazer-oai

2026-04-23 17:14:02 -07:00

committed by

GitHub

parent a9f75e5cda

commit 5882f3f95e

55 changed files with 551 additions and 490 deletions

									
										7

codex-rs/codex-api/src/auth.rs
									
												View File
												
				@@ -34,6 +34,13 @@ pub trait AuthProvider: Send + Sync {

				    /// used by telemetry and non-HTTP request paths.

				    fn add_auth_headers(&self, headers: &mut HeaderMap);

				    /// Returns any auth headers that are available without request body access.

				    fn to_auth_headers(&self) -> HeaderMap {

				        let mut headers = HeaderMap::new();

				        self.add_auth_headers(&mut headers);

				        headers

				    }

				    /// Applies auth to a complete outbound request and returns the request to send.

				    ///

				    /// The input `request` is moved into this method. Implementations may mutate

refactor: route Codex auth through AuthProvider (#18811)

7 codex-rs/codex-api/src/auth.rs Unescape Escape View File

7

codex-rs/codex-api/src/auth.rs

View File