feat(auth): add OAuth authorization code + PKCE for Codex provider#2790
Merged
amitksingh1490 merged 14 commits intoantinomyhq:mainfrom Apr 4, 2026
Merged
feat(auth): add OAuth authorization code + PKCE for Codex provider#2790amitksingh1490 merged 14 commits intoantinomyhq:mainfrom
amitksingh1490 merged 14 commits intoantinomyhq:mainfrom
Conversation
The Codex provider previously only supported the device code flow, which requires workspace admin enablement on OpenAI Business/Enterprise plans. Add authorization code + PKCE as the primary login method so non-admin users can authenticate through a standard browser redirect. Provider config (provider.json): - Add oauth_code entry before codex_device with PKCE, localhost redirect on port 1455, and the same client ID / scopes Auth strategy (strategy.rs): - Extract chatgpt_account_id helper to module level so both OAuthCodeStrategy and CodexDeviceStrategy can use it - Enrich OAuth code credentials with the ChatGPT account ID needed for API request headers UI callback server (ui.rs): - Localhost TCP listener with state validation, HTML response pages, 5-minute timeout, and graceful fallback to manual paste if the port is unavailable Closes antinomyhq#2767
Track elapsed time from the start of each accept attempt instead of comparing a fixed duration against the deadline on every poll iteration.
Prefer id_token claims for ChatGPT account ID extraction and fall back to access_token when needed. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
Move the localhost OAuth callback server into a dedicated module so ui.rs only orchestrates the browser auth flow. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
Use the OAuth callback server with a fully qualified path so the UI file keeps fewer incidental changes. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
Keep the existing placeholder test module in ui.rs so the refactor does not remove unrelated test scaffolding. Co-Authored-By: ForgeCode <noreply@forgecode.dev>
amitksingh1490
approved these changes
Apr 4, 2026
This was referenced Apr 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
chatgpt_account_idJWT helper to module level so both the new code flow and existing device flow can enrich credentials with the account ID needed for API request headersTest plan
forge provider login codexon an OpenAI Business plan account — browser redirect completes without device code promptcargo test -p forge_main --lib -- ui::tests— 3 tests pass (redirect URI detection, callback capture, state mismatch rejection)cargo test -p forge_infra --lib— 60 tests pass (includingextract_chatgpt_account_idtests)cargo clippy -p forge_main -p forge_infra -p forge_repo -- -D warnings— zero warningsCloses #2767