openai-codex provider broken since 2026.4.5 — Cloudflare challenge + missing OAuth scope

[apexict245]

Bug Description

The openai-codex provider fails on all models (gpt-5.4, gpt-5.3-codex, gpt-5.2) since approximately version 2026.4.5. Two stacked issues prevent any request from completing.

Environment

• OpenClaw version: 2026.4.12 (also tested on 2026.4.14)
• Container: ghcr.io/openclaw/openclaw:latest
• Platform: Docker on macOS (Colima), arm64
• Auth method: Codex CLI OAuth (openclaw onboard --auth-choice openai-codex)
• OpenAI subscription: Pro ($200/mo)

Issue 1: Cloudflare JS Challenge (HTTP 403)

The openai-codex provider uses a hardcoded native route (route=native policy=hidden) that hits chatgpt.com/backend-api. Cloudflare returns a JS challenge that headless containers cannot solve:

HTTP/2 403
cf-mitigated: challenge

Container logs show:

embedded run agent end: isError=true model=gpt-5.4 provider=openai-codex 
error=LLM request failed: DNS lookup for the provider endpoint failed. 
rawError=<html>...(Cloudflare challenge page)...

The error message "DNS lookup failed" is misleading — DNS resolves fine, the issue is Cloudflare returning HTML instead of JSON.

Tested from both container and host — same 403 with cf-mitigated: challenge on all paths:

• curl https://chatgpt.com/backend-api/codex/v1/responses → 403
• Both with and without Bearer token

Issue 2: Missing api.responses.write OAuth Scope

The Codex CLI OAuth client (app_EMoamEEZ73f0CkXaXp7hrann) requests scopes: openid profile email offline_access api.connectors.read api.connectors.invoke. It does NOT include api.responses.write.

When testing the token directly against api.openai.com/v1/responses:

{
  "error": {
    "message": "Missing scopes: api.responses.write"
  }
}

Re-authing via openclaw onboard --auth-choice openai-codex issues a fresh token with the same limited scopes.

What We Tried (All Failed)

1. Revoking OpenClaw consent in OpenAI connected apps settings, then re-authing
2. Running openclaw onboard --auth-choice openai-codex (fresh token, same scopes)
3. Upgrading Codex CLI from 0.104.0 to 0.120.0
4. Pinning to openai-codex/gpt-5.3-codex (same Cloudflare block)
5. Using the codex/gpt-5.4 provider prefix (separate provider entry in models.json, also fails)
6. Overriding baseUrl in models.json — the native route (policy=hidden) ignores it

Additional Issue: openclaw onboard Wipes Auth

Running openclaw onboard --auth-choice openai-codex empties agents/main/agent/auth.json (0 bytes). This causes ALL providers to lose authentication until the container is fully restarted with environment variables re-injected. This feels like a separate bug.

Expected Behavior

The openai-codex provider should route requests to the ChatGPT backend API in a way that either:

• Bypasses Cloudflare challenges (as the Codex CLI itself does)
• Or uses the public API (api.openai.com/v1/responses) with proper OAuth scopes including api.responses.write

Workaround

Using anthropic/claude-haiku-4-5-20251001 as primary model with direct Anthropic API key. This works reliably but doesn't use the OpenAI Pro subscription.

Reproduction Steps

1. Deploy OpenClaw 2026.4.12+ in Docker
2. Run openclaw onboard --auth-choice openai-codex and complete the OAuth flow
3. Set primary model to openai-codex/gpt-5.4
4. Send any message
5. Observe Cloudflare 403 in container logs with cf-mitigated: challenge

[vincentkoc]

This one is related but not a clean duplicate.

The missing-scope half is covered by the Codex OAuth/transport fixes already on main, including #64713. The Cloudflare/headless-container challenge is a different runtime/network path, so I am leaving this open instead of closing it with the scope duplicates.

If the remaining repro is only Missing scopes after a fresh reauth on current OpenClaw, say so and I can fold it into the closed scope track. Otherwise this should stay focused on the container/Cloudflare behavior.

[clawsweeper]

Thanks for the report. I gave this a fresh shell check against current main, and I could not reproduce it anymore.

Close as cannot reproduce for this exact Docker-on-macOS/Colima report. The original reporter retested the same route on a later release and confirmed that neither the Cloudflare 403 nor the missing-scope failure reproduces, while current main and shipped changelog entries show the OAuth-scope regression and misleading HTML/DNS diagnosis have been addressed; the separate proxy-specific Cloudflare tracker remains distinct.

Review details

Best possible solution:

Close this exact report as obsolete, keep the shipped Codex OAuth passthrough and HTML diagnostic behavior, and leave any still-active proxy-specific Cloudflare challenge work on the separate #67670 tracker.

Do we have a high-confidence way to reproduce the issue?

No for current behavior. The original steps were concrete, but the original reporter reran the same Docker/Colima path on a later release and reported that neither failure now reproduces.

Is this the best way to solve the issue?

Yes. Closing this specific no-longer-reproducing report while preserving the separate Cloudflare proxy tracker is narrower and safer than treating it as a request for a new browser/TLS bypass in core.

Security review:

Security review: This is a non-PR issue review with no patch security or supply-chain review to perform.

What I checked:

• reporter_retest: The reporter updated the issue on 2026-05-01 saying the original Docker on macOS/Colima setup had used openai-codex/gpt-5.4 continuously on OpenClaw 2026.4.26 with no cf-mitigated: challenge, no Missing scopes: api.responses.write, and working streamed responses/tool calls.
• oauth_scope_passthrough_test: Current tests lock that OpenClaw passes the Pi-provided Codex authorize URL through without appending unsupported scopes such as api.responses.write. (src/plugins/provider-openai-codex-oauth.test.ts:108, b277ae3f4c40)
• scope_fix_shipped: The changelog records the fix(auth): stop forcing unsupported Codex OAuth scopes #64713 fix in 2026.4.11: OpenClaw stopped rewriting upstream Codex authorize URL scopes so new sign-ins do not fail with invalid_scope. (CHANGELOG.md:2460, b277ae3f4c40)
• codex_route_current_main: Current main still keeps openai-codex on the ChatGPT/Codex backend route and normalizes compatible metadata to openai-codex-responses, matching the reporter's route rather than moving it to public OpenAI API scopes. (extensions/openai/openai-codex-provider.ts:134, b277ae3f4c40)
• cloudflare_html_diagnostic: Current tests ensure standalone Cloudflare challenge HTML is diagnosed as provider/CDN HTML instead of a DNS failure, which addresses the misleading error text from the original report. (src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts:206, b277ae3f4c40)
• auth_json_preservation: Current auth bridge code merges credentials into auth.json and test coverage preserves existing entries not present in auth-profiles, so the reported blanket wipe does not match current behavior. (src/agents/pi-auth-json.test.ts:187, b277ae3f4c40)

Likely related people:

• fuller-stack-dev: Authored PR fix(auth): stop forcing unsupported Codex OAuth scopes #64713, which removed the unsupported Codex OAuth scope mutation and is the shipped fix for the missing-scope half of this report. (role: introduced scope fix; confidence: high; commits: 8824d32c6eca, [PR fix(auth): stop forcing unsupported Codex OAuth scopes #64713](PR fix(auth): stop forcing unsupported Codex OAuth scopes #64713); files: src/plugins/provider-openai-codex-oauth.ts, src/plugins/provider-openai-codex-oauth.test.ts, CHANGELOG.md)
• stainlu: Credited for fix(agents): classify Cloudflare/CDN HTML error pages as transport failures #67642, which changed HTML provider error handling around CDN-style pages while preserving auth treatment for 401/403 HTML responses. (role: adjacent error-classification owner; confidence: medium; commits: e588e904a744, [PR fix(agents): classify Cloudflare/CDN HTML error pages as transport failures #67642](PR fix(agents): classify Cloudflare/CDN HTML error pages as transport failures #67642); files: src/agents/pi-embedded-helpers/errors.ts, src/agents/pi-embedded-helpers/provider-error-patterns.test.ts, src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts)
• chris-yyau: Credited for fix(errors): stop treating Codex HTML challenge pages as DNS failures #67704, the shipped standalone Cloudflare/CDN challenge-page diagnostic fix that prevents those pages from being misreported as DNS failures. (role: adjacent Cloudflare diagnostic owner; confidence: medium; commits: [PR fix(errors): stop treating Codex HTML challenge pages as DNS failures #67704](PR fix(errors): stop treating Codex HTML challenge pages as DNS failures #67704); files: src/shared/assistant-error-format.ts, src/agents/pi-embedded-helpers.formatassistanterrortext.test.ts, src/agents/pi-embedded-helpers.isbillingerrormessage.test.ts)
• vincentkoc: Posted the maintainer triage comment splitting the already-fixed scope regression from the Cloudflare runtime path, and prior history points to adjacent Codex provider/runtime ownership. (role: recent maintainer and triage owner; confidence: medium; commits: 9d68c6768ae2; files: extensions/openai/openai-codex-provider.ts, docs/providers/openai.md, src/agents/openai-transport-stream.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against b277ae3f4c40.

[apexict245]

Thanks @vincentkoc. Reporter here — quick repro update from the original Docker-on-macOS-Colima setup that filed this:

Running OpenClaw 2026.4.26 (latest tag, container image 04e27383656941e59fba80a5a9c28b709f240ea980bd2cb375e4a7786d5a7a20), openai-codex/gpt-5.4 has been our primary model continuously since ~2026-04-19 (first verified working on 2026.4.15, fix landed in 2026.4.11). Same network path as the original report — Docker on Colima → chatgpt.com/backend-api via route=native policy=hidden.

Neither half of the original report is reproducing on current main:

• No cf-mitigated: challenge / 403 in container logs
• No Missing scopes: api.responses.write responses
• Streamed responses, tool calls, parallel_tool_calls all working

So from our environment, #64713 plus the HTML error classification work on main appears to have addressed both surfaces, not just the scope half. I can't say why the Cloudflare challenge stopped firing (no visibility into whether it's a transport change on your side or something upstream at chatgpt.com), only that the reported repro no longer triggers it for us.

Happy for you to fold this into the closed scope track. If the issue is genuinely better kept open as a tracker for other users still hitting the headless-container Cloudflare path, no objection — just wanted to be clear we're not the active repro for it anymore.

(Unrelated: we are seeing a separate Codex token-refresh issue — refresh_token_reused 401 on background refresh forcing manual codex login every ~couple weeks — but that's a different code path and I'll file it separately if it persists past the next re-auth.)

[steipete]

Quite sure I fixed that, pleae retest with .29+