fix(auth): align OpenAI OAuth authorize URL and params

pkg/auth/oauth.go

@@ -19,18 +19,20 @@ import (
 )
 
 type OAuthProviderConfig struct {
-	Issuer   string
+	Issuer     string
-	ClientID string
+	ClientID   string
-	Scopes   string
+	Scopes     string
-	Port     int
+	Originator string
+	Port       int
 }
 
 func OpenAIOAuthConfig() OAuthProviderConfig {
 	return OAuthProviderConfig{
-		Issuer:   "https://auth.openai.com",
+		Issuer:     "https://auth.openai.com",
-		ClientID: "app_EMoamEEZ73f0CkXaXp7hrann",
+		ClientID:   "app_EMoamEEZ73f0CkXaXp7hrann",
-		Scopes:   "openid profile email offline_access",
+		Scopes:     "openid profile email offline_access",
-		Port:     1455,
+		Originator: "codex_cli_rs",
+		Port:       1455,
 	}
 }
 
@@ -288,15 +290,20 @@ func BuildAuthorizeURL(cfg OAuthProviderConfig, pkce PKCECodes, state, redirectU
 
 func buildAuthorizeURL(cfg OAuthProviderConfig, pkce PKCECodes, state, redirectURI string) string {
 	params := url.Values{
-		"response_type":         {"code"},
+		"response_type":              {"code"},
-		"client_id":             {cfg.ClientID},
+		"client_id":                  {cfg.ClientID},
-		"redirect_uri":          {redirectURI},
+		"redirect_uri":               {redirectURI},
-		"scope":                 {cfg.Scopes},
+		"scope":                      {cfg.Scopes},
-		"code_challenge":        {pkce.CodeChallenge},
+		"code_challenge":             {pkce.CodeChallenge},
-		"code_challenge_method": {"S256"},
+		"code_challenge_method":      {"S256"},
-		"state":                 {state},
+		"id_token_add_organizations": {"true"},
+		"codex_cli_simplified_flow":  {"true"},
+		"state":                      {state},
 	}
-	return cfg.Issuer + "/authorize?" + params.Encode()
+	if cfg.Originator != "" {
+		params.Set("originator", cfg.Originator)
+	}
+	return cfg.Issuer + "/oauth/authorize?" + params.Encode()
 }
 
 func exchangeCodeForTokens(cfg OAuthProviderConfig, code, codeVerifier, redirectURI string) (*AuthCredential, error) {

pkg/auth/oauth_test.go

@@ -10,10 +10,11 @@ import (
 
 func TestBuildAuthorizeURL(t *testing.T) {
 	cfg := OAuthProviderConfig{
-		Issuer:   "https://auth.example.com",
+		Issuer:     "https://auth.example.com",
-		ClientID: "test-client-id",
+		ClientID:   "test-client-id",
-		Scopes:   "openid profile",
+		Scopes:     "openid profile",
-		Port:     1455,
+		Originator: "codex_cli_rs",
+		Port:       1455,
 	}
 	pkce := PKCECodes{
 		CodeVerifier:  "test-verifier",
@@ -22,7 +23,7 @@ func TestBuildAuthorizeURL(t *testing.T) {
 
 	u := BuildAuthorizeURL(cfg, pkce, "test-state", "http://localhost:1455/auth/callback")
 
-	if !strings.HasPrefix(u, "https://auth.example.com/authorize?") {
+	if !strings.HasPrefix(u, "https://auth.example.com/oauth/authorize?") {
 		t.Errorf("URL does not start with expected prefix: %s", u)
 	}
 	if !strings.Contains(u, "client_id=test-client-id") {
@@ -40,6 +41,15 @@ func TestBuildAuthorizeURL(t *testing.T) {
 	if !strings.Contains(u, "response_type=code") {
 		t.Error("URL missing response_type")
 	}
+	if !strings.Contains(u, "id_token_add_organizations=true") {
+		t.Error("URL missing id_token_add_organizations")
+	}
+	if !strings.Contains(u, "codex_cli_simplified_flow=true") {
+		t.Error("URL missing codex_cli_simplified_flow")
+	}
+	if !strings.Contains(u, "originator=codex_cli_rs") {
+		t.Error("URL missing originator")
+	}
 }
 
 func TestParseTokenResponse(t *testing.T) {