Skip to content

Support Codex custom provider authentication#984

Open
Rio-Allen wants to merge 1 commit into
siteboon:mainfrom
Rio-Allen:rio/codex-custom-provider-auth
Open

Support Codex custom provider authentication#984
Rio-Allen wants to merge 1 commit into
siteboon:mainfrom
Rio-Allen:rio/codex-custom-provider-auth

Conversation

@Rio-Allen

@Rio-Allen Rio-Allen commented Jul 10, 2026

Copy link
Copy Markdown

Summary

  • Add a shared Codex credential resolver that preserves existing auth.json OAuth/API-key behavior.
  • Recognize Codex custom providers configured in config.toml via model_provider and provider env_key.
  • Resolve the provider credential from the CloudCLI process environment first, then from CODEX_HOME/.env, and pass it only to the Codex CLI environment for execution.
  • Use the same resolver for Codex auth status and Codex SDK execution.

Tests

  • npm run typecheck
  • npm run build:server && node --test dist-server/server/modules/providers/tests/codex-credentials.test.js
  • npx eslint server/modules/providers/list/codex/codex-auth.provider.ts server/modules/providers/list/codex/codex-credentials.ts server/modules/providers/tests/codex-credentials.test.ts server/openai-codex.js

Summary by CodeRabbit

  • New Features
    • Improved Codex authentication detection, including support for official credentials and custom providers.
    • Added support for credentials from environment variables and Codex .env files.
    • Codex CLI requests now use detected credentials automatically when available.
    • Added clearer authentication status and error reporting.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Codex credential handling moves into a shared resolver that supports official auth files, custom provider configuration, process environment variables, and .env files. Provider status and CLI initialization use the resolver, with tests covering authentication sources and missing credentials.

Changes

Codex credentials

Layer / File(s) Summary
Credential resolution and validation
server/modules/providers/list/codex/codex-credentials.ts, server/modules/providers/tests/codex-credentials.test.ts
Adds shared credential parsing and resolution for official Codex auth, custom providers, process environment variables, and .env files, plus CLI environment construction and tests for these paths.
Provider and CLI credential consumers
server/modules/providers/list/codex/codex-auth.provider.ts, server/openai-codex.js
Updates provider status and Codex client initialization to use the shared resolver and optional environment map.

Sequence Diagram(s)

sequenceDiagram
  participant queryCodex
  participant resolveCodexCredentials
  participant CodexHome
  participant Codex
  queryCodex->>resolveCodexCredentials: resolve credential status
  resolveCodexCredentials->>CodexHome: read auth.json, config.toml, or .env
  CodexHome-->>resolveCodexCredentials: credential status and environment values
  queryCodex->>Codex: create client with optional environment
Loading

Suggested reviewers: viper151

Poem

A rabbit hops through auth files bright,
Finds provider keys by moonlit light.
.env whispers, tokens gleam,
The Codex CLI joins the dream.
Tests thump paws: the path is right!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding support for Codex custom provider authentication.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@server/modules/providers/list/codex/codex-credentials.ts`:
- Around line 187-203: Update resolveCodexCredentials to resolve and inspect the
active provider configuration before returning officialCredentials; when the
configured provider declares an env_key, load and validate the corresponding
custom-provider credential first, even if auth.json is authenticated. Preserve
existing fallback behavior for official-only setups, and add a regression test
covering auth.json alongside custom config.toml and .env credentials to verify
the custom provider takes precedence.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: abb954e5-bc57-4eaa-895a-3b4d2d22b231

📥 Commits

Reviewing files that changed from the base of the PR and between 5884573 and aee96c0.

📒 Files selected for processing (4)
  • server/modules/providers/list/codex/codex-auth.provider.ts
  • server/modules/providers/list/codex/codex-credentials.ts
  • server/modules/providers/tests/codex-credentials.test.ts
  • server/openai-codex.js

Comment on lines +187 to +203
export async function resolveCodexCredentials(): Promise<CodexCredentialsStatus> {
const codexHome = resolveCodexHome();
const officialCredentials = await readOfficialCredentials(codexHome);
if (officialCredentials?.authenticated) {
return officialCredentials;
}

const customProviderCredentials = await readCustomProviderCredentials(codexHome);
if (customProviderCredentials.authenticated) {
return customProviderCredentials;
}

if (customProviderCredentials.error !== 'Codex not configured') {
return customProviderCredentials;
}

return officialCredentials ?? customProviderCredentials;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Honor the configured custom provider before accepting auth.json.

Lines 189-191 return immediately for any valid official login without inspecting model_provider. If an existing auth.json coexists with a custom provider whose key is only in CODEX_HOME/.env, the CLI receives no custom environment and status incorrectly reports official authentication.

Resolve the active provider first; when it declares an env_key, that credential must take precedence. Add a regression test covering auth.json plus custom config.toml and .env.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/modules/providers/list/codex/codex-credentials.ts` around lines 187 -
203, Update resolveCodexCredentials to resolve and inspect the active provider
configuration before returning officialCredentials; when the configured provider
declares an env_key, load and validate the corresponding custom-provider
credential first, even if auth.json is authenticated. Preserve existing fallback
behavior for official-only setups, and add a regression test covering auth.json
alongside custom config.toml and .env credentials to verify the custom provider
takes precedence.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants