refactor: route Codex auth through AuthProvider (#18811)

## Summary This PR moves Codex backend request authentication from direct bearer-token handling to `AuthProvider`. The new `codex-auth-provider` crate defines the shared request-auth trait. `CodexAuth::provider()` returns a provider that can apply all headers needed for the selected auth mode. This lets ChatGPT token auth and AgentIdentity auth share the same callsite path: - ChatGPT token auth applies bearer auth plus account/FedRAMP headers where needed. - AgentIdentity auth applies AgentAssertion plus account/FedRAMP headers where needed. Reference old stack: https://github.com/openai/codex/pull/17387/changes ## Callsite Migration | Area | Change | | --- | --- | | backend-client | accepts an `AuthProvider` instead of a raw token/header | | chatgpt client/connectors | applies auth through `CodexAuth::provider()` | | cloud tasks | keeps Codex-backend gating, applies auth through provider | | cloud requirements | uses Codex-backend auth checks and provider headers | | app-server remote control | applies provider headers for backend calls | | MCP Apps/connectors | gates on `uses_codex_backend()` and keys caches from generic account getters | | model refresh | treats AgentIdentity as Codex-backend auth | | OpenAI file upload path | rejects non-Codex-backend auth before applying headers | | core client setup | keeps model-provider auth flow and allows AgentIdentity through provider-backed OpenAI auth | ## Stack 1. https://github.com/openai/codex/pull/18757: full revert 2. https://github.com/openai/codex/pull/18871: isolated Agent Identity crate 3. https://github.com/openai/codex/pull/18785: explicit AgentIdentity auth mode and startup task allocation 4. This PR: migrate Codex backend auth callsites through AuthProvider 5. https://github.com/openai/codex/pull/18904: accept AgentIdentity JWTs and load `CODEX_AGENT_IDENTITY` ## Testing Tests: targeted Rust checks, cargo-shear, Bazel lock check, and CI.
2026-05-04 05:11:37 +03:00 · 2026-04-23 17:14:02 -07:00
parent a9f75e5cda
commit 5882f3f95e
55 changed files with 551 additions and 490 deletions
--- a/codex-rs/codex-mcp/src/mcp/auth.rs
+++ b/codex-rs/codex-mcp/src/mcp/auth.rs
@@ -1,7 +1,10 @@
 use std::collections::HashMap;

 use anyhow::Result;
+use codex_config::McpServerConfig;
+use codex_config::McpServerTransportConfig;
 use codex_config::types::OAuthCredentialsStoreMode;
+use codex_login::CodexAuth;
 use codex_protocol::protocol::McpAuthStatus;
 use codex_rmcp_client::OAuthProviderError;
 use codex_rmcp_client::determine_streamable_http_auth_status;
@@ -9,8 +12,7 @@ use codex_rmcp_client::discover_streamable_http_oauth;
 use futures::future::join_all;
 use tracing::warn;

-use codex_config::McpServerConfig;
-use codex_config::McpServerTransportConfig;
+use super::CODEX_APPS_MCP_SERVER_NAME;

 #[derive(Debug, Clone)]
 pub struct McpOAuthLoginConfig {
@@ -126,6 +128,7 @@ pub struct McpAuthStatusEntry {
 pub async fn compute_auth_statuses<'a, I>(
    servers: I,
    store_mode: OAuthCredentialsStoreMode,
+    auth: Option<&CodexAuth>,
 ) -> HashMap<String, McpAuthStatusEntry>
 where
    I: IntoIterator<Item = (&'a String, &'a McpServerConfig)>,
@@ -133,14 +136,24 @@ where
    let futures = servers.into_iter().map(|(name, config)| {
        let name = name.clone();
        let config = config.clone();
-        async move {
-            let auth_status = match compute_auth_status(&name, &config, store_mode).await {
-                Ok(status) => status,
-                Err(error) => {
-                    warn!("failed to determine auth status for MCP server `{name}`: {error:?}");
-                    McpAuthStatus::Unsupported
+        let has_runtime_auth = name == CODEX_APPS_MCP_SERVER_NAME
+            && auth.is_some_and(CodexAuth::uses_codex_backend)
+            && matches!(
+                &config.transport,
+                McpServerTransportConfig::StreamableHttp {
+                    bearer_token_env_var: None,
+                    ..
                }
-            };
+            );
+        async move {
+            let auth_status =
+                match compute_auth_status(&name, &config, store_mode, has_runtime_auth).await {
+                    Ok(status) => status,
+                    Err(error) => {
+                        warn!("failed to determine auth status for MCP server `{name}`: {error:?}");
+                        McpAuthStatus::Unsupported
+                    }
+                };
            let entry = McpAuthStatusEntry {
                config,
                auth_status,
@@ -156,11 +169,16 @@ async fn compute_auth_status(
    server_name: &str,
    config: &McpServerConfig,
    store_mode: OAuthCredentialsStoreMode,
+    has_runtime_auth: bool,
 ) -> Result<McpAuthStatus> {
    if !config.enabled {
        return Ok(McpAuthStatus::Unsupported);
    }

+    if has_runtime_auth {
+        return Ok(McpAuthStatus::BearerToken);
+    }
+
    match &config.transport {
        McpServerTransportConfig::Stdio { .. } => Ok(McpAuthStatus::Unsupported),
        McpServerTransportConfig::StreamableHttp {