Merge pull request #151 from qiaoborui/codex/fix-openai-oauth-authorize-url

fix(auth): align OpenAI OAuth browser login URL
2026-02-15 09:27:19 +08:00
parent 3334595859 da804a0748
commit ddd73cad48
4 changed files with 79 additions and 21 deletions
--- a/pkg/auth/oauth.go
+++ b/pkg/auth/oauth.go
@@ -19,18 +19,20 @@ import (
 )

 type OAuthProviderConfig struct {
-	Issuer   string
-	ClientID string
-	Scopes   string
-	Port     int
+	Issuer     string
+	ClientID   string
+	Scopes     string
+	Originator string
+	Port       int
 }

 func OpenAIOAuthConfig() OAuthProviderConfig {
 	return OAuthProviderConfig{
-		Issuer:   "https://auth.openai.com",
-		ClientID: "app_EMoamEEZ73f0CkXaXp7hrann",
-		Scopes:   "openid profile email offline_access",
-		Port:     1455,
+		Issuer:     "https://auth.openai.com",
+		ClientID:   "app_EMoamEEZ73f0CkXaXp7hrann",
+		Scopes:     "openid profile email offline_access",
+		Originator: "codex_cli_rs",
+		Port:       1455,
 	}
 }

@@ -288,15 +290,20 @@ func BuildAuthorizeURL(cfg OAuthProviderConfig, pkce PKCECodes, state, redirectU

 func buildAuthorizeURL(cfg OAuthProviderConfig, pkce PKCECodes, state, redirectURI string) string {
 	params := url.Values{
-		"response_type":         {"code"},
-		"client_id":             {cfg.ClientID},
-		"redirect_uri":          {redirectURI},
-		"scope":                 {cfg.Scopes},
-		"code_challenge":        {pkce.CodeChallenge},
-		"code_challenge_method": {"S256"},
-		"state":                 {state},
+		"response_type":              {"code"},
+		"client_id":                  {cfg.ClientID},
+		"redirect_uri":               {redirectURI},
+		"scope":                      {cfg.Scopes},
+		"code_challenge":             {pkce.CodeChallenge},
+		"code_challenge_method":      {"S256"},
+		"id_token_add_organizations": {"true"},
+		"codex_cli_simplified_flow":  {"true"},
+		"state":                      {state},
 	}
-	return cfg.Issuer + "/authorize?" + params.Encode()
+	if cfg.Originator != "" {
+		params.Set("originator", cfg.Originator)
+	}
+	return cfg.Issuer + "/oauth/authorize?" + params.Encode()
 }

 func exchangeCodeForTokens(cfg OAuthProviderConfig, code, codeVerifier, redirectURI string) (*AuthCredential, error) {
@@ -352,6 +359,9 @@ func parseTokenResponse(body []byte, provider string) (*AuthCredential, error) {

 	if accountID := extractAccountID(tokenResp.AccessToken); accountID != "" {
 		cred.AccountID = accountID
+	} else if accountID := extractAccountID(tokenResp.IDToken); accountID != "" {
+		// Recent OpenAI OAuth responses may only include chatgpt_account_id in id_token claims.
+		cred.AccountID = accountID
 	}

 	return cred, nil
--- a/pkg/auth/oauth_test.go
+++ b/pkg/auth/oauth_test.go
@@ -1,6 +1,7 @@
 package auth

 import (
+	"encoding/base64"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
@@ -10,10 +11,11 @@ import (

 func TestBuildAuthorizeURL(t *testing.T) {
 	cfg := OAuthProviderConfig{
-		Issuer:   "https://auth.example.com",
-		ClientID: "test-client-id",
-		Scopes:   "openid profile",
-		Port:     1455,
+		Issuer:     "https://auth.example.com",
+		ClientID:   "test-client-id",
+		Scopes:     "openid profile",
+		Originator: "codex_cli_rs",
+		Port:       1455,
 	}
 	pkce := PKCECodes{
 		CodeVerifier:  "test-verifier",
@@ -22,7 +24,7 @@ func TestBuildAuthorizeURL(t *testing.T) {

 	u := BuildAuthorizeURL(cfg, pkce, "test-state", "http://localhost:1455/auth/callback")

-	if !strings.HasPrefix(u, "https://auth.example.com/authorize?") {
+	if !strings.HasPrefix(u, "https://auth.example.com/oauth/authorize?") {
 		t.Errorf("URL does not start with expected prefix: %s", u)
 	}
 	if !strings.Contains(u, "client_id=test-client-id") {
@@ -40,6 +42,15 @@ func TestBuildAuthorizeURL(t *testing.T) {
 	if !strings.Contains(u, "response_type=code") {
 		t.Error("URL missing response_type")
 	}
+	if !strings.Contains(u, "id_token_add_organizations=true") {
+		t.Error("URL missing id_token_add_organizations")
+	}
+	if !strings.Contains(u, "codex_cli_simplified_flow=true") {
+		t.Error("URL missing codex_cli_simplified_flow")
+	}
+	if !strings.Contains(u, "originator=codex_cli_rs") {
+		t.Error("URL missing originator")
+	}
 }

 func TestParseTokenResponse(t *testing.T) {
@@ -81,6 +92,32 @@ func TestParseTokenResponseNoAccessToken(t *testing.T) {
 	}
 }

+func TestParseTokenResponseAccountIDFromIDToken(t *testing.T) {
+	idToken := makeJWTWithAccountID("acc-from-id")
+	resp := map[string]interface{}{
+		"access_token":  "not-a-jwt",
+		"refresh_token": "test-refresh-token",
+		"expires_in":    3600,
+		"id_token":      idToken,
+	}
+	body, _ := json.Marshal(resp)
+
+	cred, err := parseTokenResponse(body, "openai")
+	if err != nil {
+		t.Fatalf("parseTokenResponse() error: %v", err)
+	}
+
+	if cred.AccountID != "acc-from-id" {
+		t.Errorf("AccountID = %q, want %q", cred.AccountID, "acc-from-id")
+	}
+}
+
+func makeJWTWithAccountID(accountID string) string {
+	header := base64.RawURLEncoding.EncodeToString([]byte(`{"alg":"none","typ":"JWT"}`))
+	payload := base64.RawURLEncoding.EncodeToString([]byte(`{"https://api.openai.com/auth":{"chatgpt_account_id":"` + accountID + `"}}`))
+	return header + "." + payload + ".sig"
+}
+
 func TestExchangeCodeForTokens(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/oauth/token" {
--- a/pkg/providers/codex_provider.go
+++ b/pkg/providers/codex_provider.go
@@ -18,6 +18,8 @@ type CodexProvider struct {
 	tokenSource func() (string, string, error)
 }

+const defaultCodexInstructions = "You are Codex, a coding assistant."
+
 func NewCodexProvider(token, accountID string) *CodexProvider {
 	opts := []option.RequestOption{
 		option.WithBaseURL("https://chatgpt.com/backend-api/codex"),
@@ -138,6 +140,9 @@ func buildCodexParams(messages []Message, tools []ToolDefinition, model string,

 	if instructions != "" {
 		params.Instructions = openai.Opt(instructions)
+	} else {
+		// ChatGPT Codex backend requires instructions to be present.
+		params.Instructions = openai.Opt(defaultCodexInstructions)
 	}

 	if maxTokens, ok := options["max_tokens"].(int); ok {
--- a/pkg/providers/codex_provider_test.go
+++ b/pkg/providers/codex_provider_test.go
@@ -21,6 +21,12 @@ func TestBuildCodexParams_BasicMessage(t *testing.T) {
 	if params.Model != "gpt-4o" {
 		t.Errorf("Model = %q, want %q", params.Model, "gpt-4o")
 	}
+	if !params.Instructions.Valid() {
+		t.Fatal("Instructions should be set")
+	}
+	if params.Instructions.Or("") != defaultCodexInstructions {
+		t.Errorf("Instructions = %q, want %q", params.Instructions.Or(""), defaultCodexInstructions)
+	}
 }

 func TestBuildCodexParams_SystemAsInstructions(t *testing.T) {