OpenAI Codex OAuth in 2026.3.13 does not honor env proxy during code-to-token exchange

[peng202113]

Bug type

Regression (worked before, now fails)

Summary

On macOS, OpenClaw 2026.3.13 completes the browser auth step for OpenAI Codex OAuth but fails at code-to-token exchange, while 2026.2.6-3 succeeds under the same proxy setup.

Steps to reproduce

1. On macOS, set HTTP_PROXY and HTTPS_PROXY to a local HTTP proxy.
2. Run openclaw@2026.3.13.
3. Start OpenAI Codex OAuth onboarding.
4. Complete the browser sign-in successfully.
5. Observe OpenClaw fail at the token exchange step with unsupported_country_region_territory.
6. Downgrade to openclaw@2026.2.6-3 and repeat the same flow.
7. Observe the OAuth flow complete successfully.

Expected behavior

Under the same proxy setup, the OpenAI Codex OAuth flow should complete in 2026.3.13, as observed in 2026.2.6-3.

Actual behavior

The browser auth step succeeds, but OpenClaw 2026.3.13 fails during code-to-token exchange with:

[openai-codex] code->token failed: 403 {"error":{"code":"unsupported_country_region_territory","message":"Country, region, or territory not supported","param":null,"type":"request_forbidden"}}
OpenAI OAuth failed
Error: Token exchange failed


### OpenClaw version

2026.3.13 (failing), 2026.2.6-3 (last known good)

### Operating system

macOS 26.3.2

### Install method

npm global

### Model

openai-codex/gpt-5.4

### Provider / routing chain

openclaw -> local  HTTP proxy via HTTP_PROXY/HTTPS_PROXY -> auth.openai.com OAuth token exchange

### Additional provider/model setup details

The failing flow uses OpenAI Codex OAuth in `openclaw@2026.3.13`.

Observed code path:
- `openclaw@2026.3.13` imports `loginOpenAICodex` from `@mariozechner/pi-ai/oauth`
- `pi-ai@0.58.0` `dist/oauth.js` re-exports `./utils/oauth/index.js`
- new `dist/utils/oauth/index.js` no longer imports `../http-proxy.js`
- `dist/utils/oauth/openai-codex.js` still uses plain `fetch(TOKEN_URL, ...)`

Observed older working path:
- `openclaw@2026.2.6-3` imports `loginOpenAICodex` from `@mariozechner/pi-ai`
- old `pi-ai` OAuth entry imported `../http-proxy.js`
- that proxy init called `setGlobalDispatcher(new EnvHttpProxyAgent())

### Logs, screenshots, and evidence

```shell
Observed failure in `2026.3.13`:


[openai-codex] code->token failed: 403 {"error":{"code":"unsupported_country_region_territory","message":"Country, region, or territory not supported","param":null,"type":"request_forbidden"}}
OpenAI OAuth failed
Error: Token exchange failed
Observed success in 2026.2.6-3 under the same local proxy workflow.

Observed code comparison:

old @mariozechner/pi-ai OAuth entry imported ../http-proxy.js
new @mariozechner/pi-ai/oauth path does not import that proxy init
openai-codex.js remained on plain fetch(...)
Observed runtime verification on the old path:

before=Agent
after=EnvHttpProxyAgent
Observed runtime verification after local patching of 2026.3.13 to import a proxy init shim before the OpenAI OAuth flow:

before=Agent
after=EnvHttpProxyAgent

Impact and severity

Affected users/systems/channels: macOS users using OpenAI Codex OAuth behind env-based local proxies
Severity: High (blocks OpenAI Codex onboarding)
Frequency: Observed consistently in 2026.3.13 and resolved after downgrade to 2026.2.6-3
Consequence: OpenAI Codex OAuth cannot complete, so onboarding is blocked

Additional information

Last known good version: 2026.2.6-3
Observed bad version: 2026.3.13

Observed local workaround:
import a proxy-init shim before the OpenAI OAuth flow so the global undici dispatcher becomes EnvHttpProxyAgent.

This looks like a regression caused by the move from @mariozechner/pi-ai to @mariozechner/pi-ai/oauth without preserving the previous proxy-init side effect.

[peng202113]

A likely minimal fix is to restore env-proxy initialization before the OpenAI Codex OAuth flow in 2026.3.13.

Observed old behavior:

• older path imported @mariozechner/pi-ai
• old OAuth entry imported ../http-proxy.js
• that init set the global undici dispatcher to EnvHttpProxyAgent

Observed new behavior:

• new path imports loginOpenAICodex from @mariozechner/pi-ai/oauth
• that path no longer triggers the old proxy init side effect
• openai-codex.js still does plain fetch(TOKEN_URL, ...)

Local workaround that worked:

• add a small proxy-init shim before the OpenAI OAuth flow
• if HTTP_PROXY / HTTPS_PROXY is set, call setGlobalDispatcher(new EnvHttpProxyAgent())

Example shape:

import { EnvHttpProxyAgent, getGlobalDispatcher, setGlobalDispatcher } from "undici";

if (process.env.HTTP_PROXY || process.env.HTTPS_PROXY || process.env.http_proxy || process.env.https_proxy) {
  const current = getGlobalDispatcher()?.constructor?.name ?? "";
  if (!current.includes("EnvHttpProxyAgent")) {
    setGlobalDispatcher(new EnvHttpProxyAgent());
  }
}

[Hollychou924]

Analysis: 2026.3.13 Codex OAuth env proxy regression

The root cause is clearly identified in the issue — the import path change from @mariozechner/pi-ai to @mariozechner/pi-ai/oauth dropped the implicit http-proxy.js side-effect import that was calling setGlobalDispatcher(new EnvHttpProxyAgent()).

This is a classic case of depending on import side effects — the old entry point happened to initialize the proxy dispatcher as a side effect, and the new subpath export doesn't.

Minimal fix

The fix in the commenter's workaround is correct. Before calling loginOpenAICodex, initialize the global undici dispatcher if proxy env vars are set:

// In the OpenAI Codex OAuth flow, before loginOpenAICodex():
import { EnvHttpProxyAgent, getGlobalDispatcher, setGlobalDispatcher } from "undici";

function ensureEnvProxy(): void {
  const proxyUrl = 
    process.env.HTTPS_PROXY ?? 
    process.env.HTTP_PROXY ?? 
    process.env.https_proxy ?? 
    process.env.http_proxy;
    
  if (!proxyUrl) return;
  
  const currentDispatcher = getGlobalDispatcher();
  if (currentDispatcher?.constructor?.name?.includes('EnvHttpProxyAgent')) return;
  
  setGlobalDispatcher(new EnvHttpProxyAgent());
}

// Then:
ensureEnvProxy();
await loginOpenAICodex(...);

Why this is the right fix vs alternatives

• Don't re-add the old import: The move to subpath exports was intentional — don't re-add a dep on undocumented entry points
• Don't patch pi-ai: OpenClaw shouldn't rely on a third-party package initializing its dispatcher
• Do own the proxy init: OpenClaw's OAuth flows should explicitly control the dispatcher before making external HTTP calls

Scope

This same issue may affect other OAuth flows that were migrated to new subpath exports if they also relied on the old proxy side effect. Worth auditing all OAuth flow code paths for similar dispatcher assumptions.

[Artyomkun]

@steipete

This is a clean regression analysis — the proxy init was tied to an import side effect that's no longer triggered.

The proposed fix (explicitly setting the global undici dispatcher before the OAuth flow) is the right approach. It makes the proxy handling explicit and maintainable, rather than relying on hidden imports.

Worth checking other OAuth flows that were migrated to subpath exports — they might have the same issue.