Skip to content

fix(auth): accept oauthRef profiles for runtime auth#81633

Merged
obviyus merged 2 commits into
mainfrom
codex/oauth-ref-eligibility
May 14, 2026
Merged

fix(auth): accept oauthRef profiles for runtime auth#81633
obviyus merged 2 commits into
mainfrom
codex/oauth-ref-eligibility

Conversation

@obviyus

@obviyus obviyus commented May 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Fix Codex runtime auth selection for OAuth profiles stored with oauthRef instead of inline tokens.

OpenClaw already persists OpenAI Codex OAuth secrets behind oauthRef, and models status can show those profiles as OK. Runtime auth ordering still treated OAuth as configured only when access or refresh was inline, so the Codex app-server bridge could start without a selected profile and hit Responses with profile=- / missing auth.

Real behavior proof

  • Before: an openai-codex OAuth profile backed only by oauthRef was reported as OK by status, but resolveAuthProfileOrder treated it as missing_credential, so Codex app-server auth selection found no profile.
  • After: regression tests prove evaluateStoredCredentialEligibility accepts oauthRef, resolveAuthProfileOrder includes the profile, and Codex app-server auth selection picks it for login.

Verification

  • pnpm test:changed
  • pnpm check:changed

@obviyus obviyus requested a review from a team as a code owner May 14, 2026 03:25
@openclaw-barnacle openclaw-barnacle Bot added agents Agent runtime and tooling extensions: codex size: S maintainer Maintainer-authored PR labels May 14, 2026
@clawsweeper

clawsweeper Bot commented May 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Codex review: needs real behavior proof before merge.

Summary
The PR updates auth-profile eligibility and tests so OpenAI Codex OAuth profiles backed by oauthRef can be included in runtime auth ordering and Codex app-server profile selection.

Reproducibility: yes. source-level. On current main, construct an OpenAI Codex OAuth credential with missing or blank access and refresh plus a valid oauthRef; evaluateStoredCredentialEligibility returns missing_credential, and resolveAuthProfileOrder filters it out before the app-server can select it.

Real behavior proof
Needs real behavior proof before merge: The PR body lists tests and checks only, with no after-fix real Codex app-server/runtime output, screenshot, recording, linked artifact, or redacted log showing an oauthRef-backed profile working. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, ask a maintainer to comment @clawsweeper re-review.

Next step before merge
Human handling is needed for the protected maintainer label, missing real behavior proof, and the author’s related-PR supersession note; there is no narrow ClawSweeper repair defect to queue.

Security
Cleared: The diff only changes local auth eligibility logic and regression tests; I found no dependency, workflow, secret exposure, or supply-chain concern.

Review details

Best possible solution:

Land the focused eligibility fix after maintainer review and after the contributor adds redacted real Codex runtime proof that an oauthRef-backed profile is selected without missing auth.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level. On current main, construct an OpenAI Codex OAuth credential with missing or blank access and refresh plus a valid oauthRef; evaluateStoredCredentialEligibility returns missing_credential, and resolveAuthProfileOrder filters it out before the app-server can select it.

Is this the best way to solve the issue?

Yes, the proposed direction is narrow and matches the existing SecretRef-style eligibility contract by treating a valid Codex oauthRef as configured. The remaining gate is proof and maintainer confirmation, not a different code shape.

What I checked:

  • Current-main eligibility gap: On current main, OAuth eligibility returns missing_credential when both access and refresh normalize as missing; it does not inspect oauthRef, so an oauthRef-only Codex profile is rejected before runtime selection. (src/agents/auth-profiles/credential-state.ts:105, fe89243c3b24)
  • Auth order depends on eligibility: resolveAuthProfileOrder filters candidate profile IDs through resolveAuthProfileEligibility, which delegates to credential eligibility; a missing_credential result removes the profile from runtime order. (src/agents/auth-profiles/order.ts:292, fe89243c3b24)
  • Codex app-server uses auth order: When no profile is explicitly requested, resolveCodexAppServerAuthProfileId selects the first resolveAuthProfileOrder(..., provider: "openai-codex") result, so the eligibility filter reaches app-server login selection. (extensions/codex/src/app-server/auth-bridge.ts:78, fe89243c3b24)
  • oauthRef is a persisted credential contract: The auth profile types define OAuthCredentialRef as an openclaw-credentials reference for openai-codex, and persistence omits inline OAuth secrets while storing oauthRef metadata after secret material is written. (src/agents/auth-profiles/types.ts:19, fe89243c3b24)
  • PR patch scope: The PR adds a valid-oauthRef eligibility check plus focused tests for credential eligibility, auth ordering, and Codex app-server profile selection. (src/agents/auth-profiles/credential-state.ts:69, c6e1276ef7ab)
  • Related PR does not supersede this code path: The merged related PR classified Codex app-server auth refresh failures and changed error-formatting/client tests, but it did not touch credential-state.ts, order.ts, or app-server auth profile selection. (3b8ac38ae9ee)

Likely related people:

  • steipete: Recent auth-profile contract work touched credential-state.ts, order.ts, persisted.ts, OAuth handling, docs, and status surfaces central to this PR. (role: recent auth-profile contributor; confidence: high; commits: 8e179101914e, 1e8564cb13c3; files: src/agents/auth-profiles/credential-state.ts, src/agents/auth-profiles/order.ts, src/agents/auth-profiles/persisted.ts)
  • jeffjhunter: Recent Codex app-server OAuth harness work touched auth-bridge.ts, auth-bridge.test.ts, SDK auth exports, and OAuth runtime paths adjacent to the selected-profile behavior. (role: recent Codex app-server OAuth contributor; confidence: medium; commits: 850d685d4bec; files: extensions/codex/src/app-server/auth-bridge.ts, extensions/codex/src/app-server/auth-bridge.test.ts, src/agents/auth-profiles/oauth.ts)
  • pashpashpash: Recent app-server launch work touched auth-bridge.ts and its tests, the same file where implicit Codex auth profile selection happens. (role: recent Codex app-server auth-bridge contributor; confidence: medium; commits: 74860e93fd6e; files: extensions/codex/src/app-server/auth-bridge.ts, extensions/codex/src/app-server/auth-bridge.test.ts)
  • vincentkoc: The merged related PR handled adjacent Codex app-server auth refresh classification and local history/blame points to recent auth-profile and app-server activity under this name. (role: adjacent auth-refresh contributor; confidence: medium; commits: 3b8ac38ae9ee, d08f68dee733; files: extensions/codex/src/app-server/client.ts, src/agents/auth-profiles/credential-state.ts, src/agents/auth-profiles/order.ts)

Remaining risk / open question:

  • Contributor real behavior proof is still absent; tests/checks alone do not show the oauthRef-backed Codex app-server runtime path working after the patch.
  • The author’s earlier “Superseded by” note points to a merged related PR that appears adjacent rather than equivalent, so a maintainer should confirm whether this PR should still land.

Codex review notes: model gpt-5.5, reasoning high; reviewed against fe89243c3b24.

@obviyus

obviyus commented May 14, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #81638.

@obviyus obviyus closed this May 14, 2026
@obviyus obviyus reopened this May 14, 2026
@obviyus obviyus self-assigned this May 14, 2026
@vincentkoc vincentkoc mentioned this pull request May 14, 2026
Merged
25 tasks
@obviyus obviyus force-pushed the codex/oauth-ref-eligibility branch from c6e1276 to 3f65c35 Compare May 14, 2026 05:00
@obviyus obviyus merged commit e44b915 into main May 14, 2026
107 of 110 checks passed
@obviyus obviyus deleted the codex/oauth-ref-eligibility branch May 14, 2026 05:01
@obviyus

obviyus commented May 14, 2026

Copy link
Copy Markdown
Contributor Author

Landed via rebase onto main.

  • Scoped tests: pnpm test:changed; pnpm check:changed
  • Changelog: CHANGELOG.md updated
  • Land commit: 3f65c35168bc12f2d1b40cb075371dbd88d861fe
  • Merge commit: e44b915dbf6baabd02d142e35f271e9cd8484452

@obviyus obviyus mentioned this pull request May 14, 2026
Closed
@github-actions github-actions Bot mentioned this pull request May 14, 2026
Open
github-actions Bot pushed a commit to Desicool/openclaw that referenced this pull request May 24, 2026
@obviyus
docs(changelog): note oauthRef runtime auth fix (openclaw#81633)
6de4ad4
jameslcowan pushed a commit to jameslcowan/openclaw that referenced this pull request Jun 2, 2026
@obviyus
docs(changelog): note oauthRef runtime auth fix (openclaw#81633)
e3c5508
ericksoninco pushed a commit to ericksoninco/openclaw that referenced this pull request Jun 9, 2026
@obviyus
docs(changelog): note oauthRef runtime auth fix (openclaw#81633)
cf0c04d
sablehead pushed a commit to sablehead/openclaw that referenced this pull request Jun 10, 2026
@obviyus
docs(changelog): note oauthRef runtime auth fix (openclaw#81633)
67c80e6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@obviyus obviyus

Labels

agents Agent runtime and tooling extensions: codex maintainer Maintainer-authored PR size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@obviyus