auth: derive codex oauth profile ids from jwt claims

2026-05-02 21:40:22 +00:00 · 2026-03-25 00:54:50 +08:00
parent abec3ed645
commit b6e70a5cdd
2 changed files with 199 additions and 1 deletions
--- a/src/plugins/contracts/auth.contract.test.ts
+++ b/src/plugins/contracts/auth.contract.test.ts
@@ -91,6 +91,12 @@ function buildAuthContext() {
  };
 }

+function createJwt(payload: Record<string, unknown>): string {
+  const header = Buffer.from(JSON.stringify({ alg: "none", typ: "JWT" })).toString("base64url");
+  const body = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  return `${header}.${body}.signature`;
+}
+
 describe("provider auth contract", () => {
  let authStore: AuthProfileStore;

@@ -154,6 +160,130 @@ describe("provider auth contract", () => {
    });
  });

+  it("backfills OpenAI Codex OAuth email from the JWT profile claim", async () => {
+    const provider = requireProvider(registerProviders(openAIPlugin), "openai-codex");
+    const access = createJwt({
+      "https://api.openai.com/profile": {
+        email: "jwt-user@example.com",
+      },
+    });
+    loginOpenAICodexOAuthMock.mockResolvedValueOnce({
+      refresh: "refresh-token",
+      access,
+      expires: 1_700_000_000_000,
+    });
+
+    const result = await provider.auth[0]?.run(buildAuthContext() as never);
+
+    expect(result).toEqual({
+      profiles: [
+        {
+          profileId: "openai-codex:jwt-user@example.com",
+          credential: {
+            type: "oauth",
+            provider: "openai-codex",
+            access,
+            refresh: "refresh-token",
+            expires: 1_700_000_000_000,
+            email: "jwt-user@example.com",
+          },
+        },
+      ],
+      configPatch: {
+        agents: {
+          defaults: {
+            models: {
+              "openai-codex/gpt-5.4": {},
+            },
+          },
+        },
+      },
+      defaultModel: "openai-codex/gpt-5.4",
+      notes: undefined,
+    });
+  });
+
+  it("uses a stable fallback id when OpenAI Codex JWT email is missing", async () => {
+    const provider = requireProvider(registerProviders(openAIPlugin), "openai-codex");
+    const access = createJwt({
+      "https://api.openai.com/auth": {
+        chatgpt_account_user_id: "user-123__acct-456",
+      },
+    });
+    const expectedStableId = Buffer.from("user-123__acct-456", "utf8").toString("base64url");
+    loginOpenAICodexOAuthMock.mockResolvedValueOnce({
+      refresh: "refresh-token",
+      access,
+      expires: 1_700_000_000_000,
+    });
+
+    const result = await provider.auth[0]?.run(buildAuthContext() as never);
+
+    expect(result).toEqual({
+      profiles: [
+        {
+          profileId: `openai-codex:id-${expectedStableId}`,
+          credential: {
+            type: "oauth",
+            provider: "openai-codex",
+            access,
+            refresh: "refresh-token",
+            expires: 1_700_000_000_000,
+            email: `id-${expectedStableId}`,
+          },
+        },
+      ],
+      configPatch: {
+        agents: {
+          defaults: {
+            models: {
+              "openai-codex/gpt-5.4": {},
+            },
+          },
+        },
+      },
+      defaultModel: "openai-codex/gpt-5.4",
+      notes: undefined,
+    });
+  });
+
+  it("falls back to the default OpenAI Codex profile when JWT parsing yields no identity", async () => {
+    const provider = requireProvider(registerProviders(openAIPlugin), "openai-codex");
+    loginOpenAICodexOAuthMock.mockResolvedValueOnce({
+      refresh: "refresh-token",
+      access: "not-a-jwt-token",
+      expires: 1_700_000_000_000,
+    });
+
+    const result = await provider.auth[0]?.run(buildAuthContext() as never);
+
+    expect(result).toEqual({
+      profiles: [
+        {
+          profileId: "openai-codex:default",
+          credential: {
+            type: "oauth",
+            provider: "openai-codex",
+            access: "not-a-jwt-token",
+            refresh: "refresh-token",
+            expires: 1_700_000_000_000,
+          },
+        },
+      ],
+      configPatch: {
+        agents: {
+          defaults: {
+            models: {
+              "openai-codex/gpt-5.4": {},
+            },
+          },
+        },
+      },
+      defaultModel: "openai-codex/gpt-5.4",
+      notes: undefined,
+    });
+  });
+
  it("keeps OpenAI Codex OAuth failures non-fatal at the provider layer", async () => {
    const provider = requireProvider(registerProviders(openAIPlugin), "openai-codex");
    loginOpenAICodexOAuthMock.mockRejectedValueOnce(new Error("oauth failed"));