fix(auth): align OpenAI OAuth authorize URL and params

pkg/auth/oauth.go

@@ -19,18 +19,20 @@ import (
 )
 
 type OAuthProviderConfig struct {
-	Issuer   string
-	ClientID string
-	Scopes   string
-	Port     int
+	Issuer     string
+	ClientID   string
+	Scopes     string
+	Originator string
+	Port       int
 }
 
 func OpenAIOAuthConfig() OAuthProviderConfig {
 	return OAuthProviderConfig{
-		Issuer:   "https://auth.openai.com",
-		ClientID: "app_EMoamEEZ73f0CkXaXp7hrann",
-		Scopes:   "openid profile email offline_access",
-		Port:     1455,
+		Issuer:     "https://auth.openai.com",
+		ClientID:   "app_EMoamEEZ73f0CkXaXp7hrann",
+		Scopes:     "openid profile email offline_access",
+		Originator: "codex_cli_rs",
+		Port:       1455,
 	}
 }
 
@@ -288,15 +290,20 @@ func BuildAuthorizeURL(cfg OAuthProviderConfig, pkce PKCECodes, state, redirectU
 
 func buildAuthorizeURL(cfg OAuthProviderConfig, pkce PKCECodes, state, redirectURI string) string {
 	params := url.Values{
-		"response_type":         {"code"},
-		"client_id":             {cfg.ClientID},
-		"redirect_uri":          {redirectURI},
-		"scope":                 {cfg.Scopes},
-		"code_challenge":        {pkce.CodeChallenge},
-		"code_challenge_method": {"S256"},
-		"state":                 {state},
+		"response_type":              {"code"},
+		"client_id":                  {cfg.ClientID},
+		"redirect_uri":               {redirectURI},
+		"scope":                      {cfg.Scopes},
+		"code_challenge":             {pkce.CodeChallenge},
+		"code_challenge_method":      {"S256"},
+		"id_token_add_organizations": {"true"},
+		"codex_cli_simplified_flow":  {"true"},
+		"state":                      {state},
 	}
-	return cfg.Issuer + "/authorize?" + params.Encode()
+	if cfg.Originator != "" {
+		params.Set("originator", cfg.Originator)
+	}
+	return cfg.Issuer + "/oauth/authorize?" + params.Encode()
 }
 
 func exchangeCodeForTokens(cfg OAuthProviderConfig, code, codeVerifier, redirectURI string) (*AuthCredential, error) {