OpenAI Codex OAuth can bind to a deactivated ChatGPT workspace when accounts have multiple workspaces

[sinogello]

Summary

OpenClaw's OpenAI Codex OAuth flow appears to rely on upstream @mariozechner/pi-ai/oauth workspace/account selection without validating that the selected ChatGPT workspace is still active.

If a ChatGPT account has multiple workspaces and one of them is deactivated, OAuth login may intermittently succeed but later fail with a workspace deactivated error, depending on which workspace/account context gets selected.

Environment

• OpenClaw version: 2026.3.28-beta.1
• Repo inspected: main branch of openclaw/openclaw
• Provider: openai-codex via ChatGPT OAuth

Reproduction

1. Use a ChatGPT/OpenAI account that belongs to two workspaces:
   • Workspace A: active / normal
   • Workspace B: deactivated
2. Run OpenClaw setup/login with openai-codex OAuth.
3. Complete OAuth successfully.
4. Use the provider in OpenClaw.
5. Intermittently, requests fail with an error indicating the selected workspace is deactivated.

Expected behavior

OpenClaw should not bind to or continue using a deactivated ChatGPT workspace when an active workspace is available.

Ideally it should:

• prefer an active workspace/account automatically,
• or probe and persist a usable accountId after OAuth,
• or detect workspace deactivated and retry/fallback to another active workspace,
• or at minimum surface a clearer remediation path.

Actual behavior

The OAuth flow can complete successfully, but later runtime behavior fails because the selected workspace/account context is deactivated.

Code analysis

From the current main branch, OpenClaw seems to delegate the critical workspace/account selection behavior to upstream OAuth helpers and does not add an active-workspace validation layer.

OAuth login path

src/plugins/provider-openai-codex-oauth.ts

This path calls loginOpenAICodex(...) from @mariozechner/pi-ai/oauth and returns the credentials, but I do not see any OpenClaw-side logic here that enumerates workspaces or filters out deactivated ones after login.

Provider auth result construction

extensions/openai/openai-codex-provider.ts

runOpenAICodexOAuth() builds the stored auth result from returned credentials, but does not appear to perform a post-login workspace/account sanity check before persisting them.

Usage path does support accountId, but only passively

src/infra/provider-usage.fetch.codex.ts

This code sends ChatGPT-Account-Id when accountId exists, but that only helps if the stored credential already contains a correct, active account/workspace selection.

Refresh fallback exists, but only for one narrow failure mode

extensions/openai/openai-codex-provider.ts

There is already a refresh fallback for:

• Failed to extract accountId from token

However, I do not see analogous handling for:

• workspace deactivated
• or cases where accountId extraction succeeds but resolves to a deactivated workspace

Suspected root cause

OpenClaw currently appears to trust upstream OAuth/account resolution too much for multi-workspace ChatGPT accounts.

If upstream selection is unstable / cached / defaulted to the wrong workspace, OpenClaw has no additional guardrail to:

• filter deactivated workspaces,
• pin a known-good active workspace,
• or retry on deactivated-workspace failures.

Suggested fixes

Any of these would likely improve the situation:

1. Post-OAuth workspace validation in OpenClaw

   • After OAuth succeeds, query ChatGPT backend/account metadata
   • Detect active vs deactivated workspaces
   • Persist a usable active accountId

2. Runtime fallback on workspace deactivated

   • If a request fails with workspace deactivated, do not fail immediately
   • Re-discover available workspaces/accounts
   • Retry once with a different active workspace/account
   • Persist the recovered accountId if successful

3. Upstream fix in @mariozechner/pi-ai/oauth

   • If that library is responsible for selecting workspace/account context, it should prefer active workspaces and avoid deactivated ones by default

4. Broaden current refresh fallback logic

   • Extend current narrow extract accountId fallback handling to also consider deactivated-workspace cases

Why this matters

This is especially painful because OAuth can appear to succeed, so users only discover the problem later during actual provider use. For accounts with multiple workspaces, this makes the OpenAI OAuth path feel flaky and nondeterministic.

---

If helpful, I can also prepare a PR sketch for either:

• OpenClaw-side post-login validation / fallback, or
• an upstream fix if the maintainers confirm the issue belongs in @mariozechner/pi-ai/oauth.

[sinogello]

Adding a quick related-issues note for triage:

This issue does not appear to be a duplicate of the existing OpenAI Codex OAuth / accountId issues I found, but it seems related to the same general area (OAuth account/workspace resolution and resilience):

• Session enters zombie state after embedded agent init failure (deactivated_workspace) — no auto-recovery #54964 — deactivated_workspace currently leaves sessions in a bad state after init failure
• OAuth (ChatGPT Pro) only works with GPT-4o — all GPT-5+ models fail with "Failed to extract accountId from token" #27055 — GPT-5+ OAuth path can fail with Failed to extract accountId from token
• Cron jobs fail with 'Failed to extract accountId from token' when falling back to OpenAI Codex provider #36604 — cron fallback previously failed on Failed to extract accountId from token (now closed/fixed)
• OpenAI Codex OAuth token refresh not persisting to disk #52037 — OAuth token refresh persistence issue

My current read is that #56693 is a distinct bug:

• those issues are mostly about accountId extraction / persistence / post-failure behavior
• this one is about multi-workspace accounts where OAuth/runtime can bind to a deactivated ChatGPT workspace even though an active workspace exists

So the likely common theme is: OpenAI Codex OAuth needs stronger account/workspace selection and fallback behavior across login, refresh, and runtime error handling.

[davebarnwell]

I recently switched my account for OpenAI from business to personal, which has left me with a deactivated workspace for the old business account. I regularly now get {"detail":{"code":"deactivated_workspace"}} when cron tasks run, likewise when trying to interact with the agent via telegram. I just updated to v2026.4.8 and this continues to be an issue. OpenAI is unusable for me now via OpenClaw.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve. Reviewed June 10, 2026, 1:01 AM ET / 05:01 UTC.

Summary
Codex review failed: codex execution failed.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Ways to help us reproduce this

• Add a screenshot or short recording showing the behavior.
• Include the exact command, prompt, or workflow that triggered it.
• Add expected vs actual behavior.

Next step
Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Remaining risk / open question:

• No close action taken because the review did not complete.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e9671ed60327.

Label changes

Label changes:

• add issue-rating: 🦪 silver shellfish: Current issue advisory state selects this label.
• add clawsweeper:needs-info: Current issue advisory state selects this label.
• remove P2: Current review triage priority is none.
• remove clawsweeper:no-new-fix-pr: Current issue advisory state no longer selects this label.
• remove clawsweeper:fix-shape-clear: Current issue advisory state no longer selects this label.
• remove clawsweeper:needs-maintainer-review: Current issue advisory state no longer selects this label.
• remove clawsweeper:needs-product-decision: Current issue advisory state no longer selects this label.
• remove clawsweeper:source-repro: Current issue advisory state no longer selects this label.
• remove impact:auth-provider: Current review selected no impact labels.
• remove issue-rating: 🦞 diamond lobster: Current issue advisory state no longer selects this label.

Evidence reviewed

What I checked:

• failure reason: codex execution failed.
• codex failure detail: Codex review failed for this issue with exit 1.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[hnboy2005]

I also encountered the same issue: when switching from a business account to a personal account after canceling the subscription, even if I have successfully logged in with the personal account before, after a while it still reports the same error