renato97/picoclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #151 from qiaoborui/codex/fix-openai-oauth-authorize-url

Browse Source 
fix(auth): align OpenAI OAuth browser login URL
This commit is contained in:
Meng Zhuo
2026-02-15 09:27:19 +08:00
committed by GitHub
parent 3334595859 da804a0748
commit ddd73cad48
4 changed files with 79 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
pkg/auth/oauth.go
View File

@@ -19,18 +19,20 @@ import (
) )
type OAuthProviderConfig struct { type OAuthProviderConfig struct {
Issuer string Issuer string
ClientID string ClientID string
Scopes string Scopes string
Port int Originator string
Port int
} }
func OpenAIOAuthConfig() OAuthProviderConfig { func OpenAIOAuthConfig() OAuthProviderConfig {
return OAuthProviderConfig{ return OAuthProviderConfig{
Issuer: "https://auth.openai.com", Issuer: "https://auth.openai.com",
ClientID: "app_EMoamEEZ73f0CkXaXp7hrann", ClientID: "app_EMoamEEZ73f0CkXaXp7hrann",
Scopes: "openid profile email offline_access", Scopes: "openid profile email offline_access",
Port: 1455, Originator: "codex_cli_rs",
Port: 1455,
} }
} }
@@ -288,15 +290,20 @@ func BuildAuthorizeURL(cfg OAuthProviderConfig, pkce PKCECodes, state, redirectU
func buildAuthorizeURL(cfg OAuthProviderConfig, pkce PKCECodes, state, redirectURI string) string { func buildAuthorizeURL(cfg OAuthProviderConfig, pkce PKCECodes, state, redirectURI string) string {
params := url.Values{ params := url.Values{
"response_type": {"code"}, "response_type": {"code"},
"client_id": {cfg.ClientID}, "client_id": {cfg.ClientID},
"redirect_uri": {redirectURI}, "redirect_uri": {redirectURI},
"scope": {cfg.Scopes}, "scope": {cfg.Scopes},
"code_challenge": {pkce.CodeChallenge}, "code_challenge": {pkce.CodeChallenge},
"code_challenge_method": {"S256"}, "code_challenge_method": {"S256"},
"state": {state}, "id_token_add_organizations": {"true"},
"codex_cli_simplified_flow": {"true"},
"state": {state},
} }
return cfg.Issuer + "/authorize?" + params.Encode() if cfg.Originator != "" {
params.Set("originator", cfg.Originator)
}
return cfg.Issuer + "/oauth/authorize?" + params.Encode()
} }
func exchangeCodeForTokens(cfg OAuthProviderConfig, code, codeVerifier, redirectURI string) (*AuthCredential, error) { func exchangeCodeForTokens(cfg OAuthProviderConfig, code, codeVerifier, redirectURI string) (*AuthCredential, error) {
@@ -352,6 +359,9 @@ func parseTokenResponse(body []byte, provider string) (*AuthCredential, error) {
if accountID := extractAccountID(tokenResp.AccessToken); accountID != "" { if accountID := extractAccountID(tokenResp.AccessToken); accountID != "" {
cred.AccountID = accountID cred.AccountID = accountID
} else if accountID := extractAccountID(tokenResp.IDToken); accountID != "" {
// Recent OpenAI OAuth responses may only include chatgpt_account_id in id_token claims.
cred.AccountID = accountID
} }
return cred, nil return cred, nil

47
pkg/auth/oauth_test.go
View File

@@ -1,6 +1,7 @@
package auth package auth
import ( import (
"encoding/base64"
"encoding/json" "encoding/json"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
@@ -10,10 +11,11 @@ import (
func TestBuildAuthorizeURL(t *testing.T) { func TestBuildAuthorizeURL(t *testing.T) {
cfg := OAuthProviderConfig{ cfg := OAuthProviderConfig{
Issuer: "https://auth.example.com", Issuer: "https://auth.example.com",
ClientID: "test-client-id", ClientID: "test-client-id",
Scopes: "openid profile", Scopes: "openid profile",
Port: 1455, Originator: "codex_cli_rs",
Port: 1455,
} }
pkce := PKCECodes{ pkce := PKCECodes{
CodeVerifier: "test-verifier", CodeVerifier: "test-verifier",
@@ -22,7 +24,7 @@ func TestBuildAuthorizeURL(t *testing.T) {
u := BuildAuthorizeURL(cfg, pkce, "test-state", "http://localhost:1455/auth/callback") u := BuildAuthorizeURL(cfg, pkce, "test-state", "http://localhost:1455/auth/callback")
if !strings.HasPrefix(u, "https://auth.example.com/authorize?") { if !strings.HasPrefix(u, "https://auth.example.com/oauth/authorize?") {
t.Errorf("URL does not start with expected prefix: %s", u) t.Errorf("URL does not start with expected prefix: %s", u)
} }
if !strings.Contains(u, "client_id=test-client-id") { if !strings.Contains(u, "client_id=test-client-id") {
@@ -40,6 +42,15 @@ func TestBuildAuthorizeURL(t *testing.T) {
if !strings.Contains(u, "response_type=code") { if !strings.Contains(u, "response_type=code") {
t.Error("URL missing response_type") t.Error("URL missing response_type")
} }
if !strings.Contains(u, "id_token_add_organizations=true") {
t.Error("URL missing id_token_add_organizations")
}
if !strings.Contains(u, "codex_cli_simplified_flow=true") {
t.Error("URL missing codex_cli_simplified_flow")
}
if !strings.Contains(u, "originator=codex_cli_rs") {
t.Error("URL missing originator")
}
} }
func TestParseTokenResponse(t *testing.T) { func TestParseTokenResponse(t *testing.T) {
@@ -81,6 +92,32 @@ func TestParseTokenResponseNoAccessToken(t *testing.T) {
} }
} }
func TestParseTokenResponseAccountIDFromIDToken(t *testing.T) {
idToken := makeJWTWithAccountID("acc-from-id")
resp := map[string]interface{}{
"access_token": "not-a-jwt",
"refresh_token": "test-refresh-token",
"expires_in": 3600,
"id_token": idToken,
}
body, _ := json.Marshal(resp)
cred, err := parseTokenResponse(body, "openai")
if err != nil {
t.Fatalf("parseTokenResponse() error: %v", err)
}
if cred.AccountID != "acc-from-id" {
t.Errorf("AccountID = %q, want %q", cred.AccountID, "acc-from-id")
}
}
func makeJWTWithAccountID(accountID string) string {
header := base64.RawURLEncoding.EncodeToString([]byte(`{"alg":"none","typ":"JWT"}`))
payload := base64.RawURLEncoding.EncodeToString([]byte(`{"https://api.openai.com/auth":{"chatgpt_account_id":"` + accountID + `"}}`))
return header + "." + payload + ".sig"
}
func TestExchangeCodeForTokens(t *testing.T) { func TestExchangeCodeForTokens(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/oauth/token" { if r.URL.Path != "/oauth/token" {

5
pkg/providers/codex_provider.go
View File

@@ -18,6 +18,8 @@ type CodexProvider struct {
tokenSource func() (string, string, error) tokenSource func() (string, string, error)
} }
const defaultCodexInstructions = "You are Codex, a coding assistant."
func NewCodexProvider(token, accountID string) *CodexProvider { func NewCodexProvider(token, accountID string) *CodexProvider {
opts := []option.RequestOption{ opts := []option.RequestOption{
option.WithBaseURL("https://chatgpt.com/backend-api/codex"), option.WithBaseURL("https://chatgpt.com/backend-api/codex"),
@@ -138,6 +140,9 @@ func buildCodexParams(messages []Message, tools []ToolDefinition, model string,
if instructions != "" { if instructions != "" {
params.Instructions = openai.Opt(instructions) params.Instructions = openai.Opt(instructions)
} else {
// ChatGPT Codex backend requires instructions to be present.
params.Instructions = openai.Opt(defaultCodexInstructions)
} }
if maxTokens, ok := options["max_tokens"].(int); ok { if maxTokens, ok := options["max_tokens"].(int); ok {

6
pkg/providers/codex_provider_test.go
View File

@@ -21,6 +21,12 @@ func TestBuildCodexParams_BasicMessage(t *testing.T) {
if params.Model != "gpt-4o" { if params.Model != "gpt-4o" {
t.Errorf("Model = %q, want %q", params.Model, "gpt-4o") t.Errorf("Model = %q, want %q", params.Model, "gpt-4o")
} }
if !params.Instructions.Valid() {
t.Fatal("Instructions should be set")
}
if params.Instructions.Or("") != defaultCodexInstructions {
t.Errorf("Instructions = %q, want %q", params.Instructions.Or(""), defaultCodexInstructions)
}
} }
func TestBuildCodexParams_SystemAsInstructions(t *testing.T) { func TestBuildCodexParams_SystemAsInstructions(t *testing.T) {