OAuth loopback login broken for remote/browser-based consoles (GCP, Codespaces, etc.)

[welliv]

Problem

When running hermes model (or any OAuth login) on a remote VM or browser-based console (GCP Cloud Shell, AWS EC2 Instance Connect, GitHub Codespaces, etc.), OAuth flows fail because the authorization URL contains a hardcoded redirect_uri=http://127.0.0.1:<port>/callback.

After the user authorizes in their local browser, the provider redirects back to 127.0.0.1 on the remote machine, which is unreachable. The existing SSH tunnel hint only helps users with a real local SSH client — it provides no path forward for browser-only remote consoles.

Solution Implemented

Added a reusable _oauth_prompt_manual_code() helper that allows users to complete OAuth login by pasting either the full failed callback URL or just the authorization code.

The helper was integrated into the xAI Grok OAuth flow (and prepared for Spotify). Users can now simply paste the code when the browser redirect fails, and authentication completes successfully.

Changes

• New helper: _oauth_prompt_manual_code() in hermes_cli/auth.py
• Refactored xAI OAuth login to use the helper
• Supports both full callback URL and raw code input

The fix has been tested and confirmed working on a remote GCP VM.

[welliv]

Update: I've improved the manual fallback implementation:

• Now accepts either the full callback URL or just the authorization code directly (more user-friendly)
• Improved prompt text for clarity
• The change is isolated to hermes_cli/auth.py in the xAI OAuth flow

The implementation is functional. A small amount of cleanup is still needed to eliminate static analysis warnings before opening a PR.

Would still love feedback on whether this direction is acceptable.

[welliv]

Update: Solution included

I've implemented a clean solution directly in the codebase. Here's the summary:

What was added

A reusable helper _oauth_prompt_manual_code() that allows users to complete OAuth login by pasting either:

• The full failed callback URL, or
• Just the authorization code

Changes Made

diff --git a/hermes_cli/auth.py b/hermes_cli/auth.py
index 6cabb6157..606650db6 100644
--- a/hermes_cli/auth.py
+++ b/hermes_cli/auth.py
@@ -2628,6 +2634,43 @@ def _print_loopback_ssh_hint(redirect_uri: str, *, docs_url: str | None = None)
     print()


+def _oauth_prompt_manual_code(
+    *,
+    prompt: str = "If the redirect cannot reach this machine, paste the code or full callback URL:",
+) -> tuple[str | None, str | None]:
+    """Prompt for manual OAuth code input (supports full URL or raw code).
+
+    Returns (code, state) tuple. State may be None if user pasted only the code.
+    """
+    print()
+    print(prompt)
+    try:
+        user_input = input("> ").strip()
+    except (EOFError, KeyboardInterrupt):
+        user_input = ""
+
+    if not user_input:
+        return None, None
+
+    code = None
+    state = None
+
+    if "code=" in user_input:
+        try:
+            parsed = urlparse(user_input)
+            qs = parse_qs(parsed.query)
+            code = qs.get("code", [None])[0]
+            state = qs.get("state", [None])[0]
+        except Exception:
+            pass
+    else:
+        # Treat the entire input as the code
+        code = user_input
+
+    return code, state
+
+
+
 # =============================================================================
 # OpenAI Codex auth — tokens stored in ~/.hermes/auth.json (not ~/.codex/)
 #
@@ -5343,22 +5386,31 @@ def _xai_oauth_loopback_login(

         _print_loopback_ssh_hint(redirect_uri, docs_url=XAI_OAUTH_DOCS_URL)

-        if open_browser and not _is_remote_session():
-            try:
-                opened = webbrowser.open(authorize_url)
-            except Exception:
-                opened = False
-            if opened:
-                print("Browser opened for xAI authorization.")
-            else:
-                print("Could not open the browser automatically; use the URL above.")
+        # Manual fallback for remote consoles
+        code, state = _oauth_prompt_manual_code()
+        if code:
+            callback_result["code"] = code
+            if state:
+                callback_result["state"] = state
+            print("Code received via manual paste. Proceeding with token exchange...")

-        callback = _xai_wait_for_callback(
-            server,
-            thread,
-            callback_result,
-            timeout_seconds=max(30.0, timeout_seconds * 9),
-        )
+        if not callback_result.get("code"):
+            if open_browser and not _is_remote_session():
+                try:
+                    opened = webbrowser.open(authorize_url)
+                except Exception:
+                    opened = False
+                if opened:
+                    print("Browser opened for xAI authorization.")
+                else:
+                    print("Could not open the browser automatically; use the URL above.")
+
+            callback = _xai_wait_for_callback(
+                server,
+                thread,
+                callback_result,
+                timeout_seconds=max(30.0, timeout_seconds * 9),
+            )

Files Changed

• hermes_cli/auth.py

How to Test

1. Run hermes model
2. Select xAI Grok OAuth
3. When prompted for the manual code, paste either the full callback URL or just the code value

The change is isolated and low-risk. I'm happy to open a formal PR if preferred, or refine it based on feedback.