feat: Implemented OAuth support for OpenAI models via Codex endpoints
CI / All (ubuntu-latest) (push) Failing after 24s
CI / All (macos-latest) (push) Has been cancelled
CI / All (windows-latest) (push) Has been cancelled

This commit is contained in:
2026-07-06 11:20:32 -06:00
parent af91b89cff
commit fa7eadd08a
7 changed files with 477 additions and 44 deletions
+19 -4
View File
@@ -4,29 +4,44 @@ use indexmap::IndexMap;
use parking_lot::RwLock;
use std::sync::LazyLock;
static ACCESS_TOKENS: LazyLock<RwLock<IndexMap<String, (String, i64)>>> =
type AccessTokenEntry = (String, i64, Option<String>);
static ACCESS_TOKENS: LazyLock<RwLock<IndexMap<String, AccessTokenEntry>>> =
LazyLock::new(|| RwLock::new(IndexMap::new()));
pub fn get_access_token(client_name: &str) -> Result<String> {
ACCESS_TOKENS
.read()
.get(client_name)
.map(|(token, _)| token.clone())
.map(|(token, _, _)| token.clone())
.ok_or_else(|| anyhow!("Invalid access token"))
}
pub fn get_access_token_account_id(client_name: &str) -> Option<String> {
ACCESS_TOKENS
.read()
.get(client_name)
.and_then(|(_, _, account_id)| account_id.clone())
}
pub fn is_valid_access_token(client_name: &str) -> bool {
let access_tokens = ACCESS_TOKENS.read();
let (token, expires_at) = match access_tokens.get(client_name) {
let (token, expires_at, _) = match access_tokens.get(client_name) {
Some(v) => v,
None => return false,
};
!token.is_empty() && Utc::now().timestamp() < *expires_at
}
pub fn set_access_token(client_name: &str, token: String, expires_at: i64) {
pub fn set_access_token(
client_name: &str,
token: String,
expires_at: i64,
account_id: Option<String>,
) {
let mut access_tokens = ACCESS_TOKENS.write();
let entry = access_tokens.entry(client_name.to_string()).or_default();
entry.0 = token;
entry.1 = expires_at;
entry.2 = account_id;
}
+1
View File
@@ -4,6 +4,7 @@ mod common;
mod gemini_oauth;
mod message;
pub mod oauth;
mod openai_oauth;
#[macro_use]
mod macros;
mod model;
+41 -14
View File
@@ -57,6 +57,14 @@ pub trait OAuthProvider: Send + Sync {
fn fixed_redirect_uri(&self) -> Option<String> {
None
}
fn extract_account_id(&self, _response: &Value) -> Option<String> {
None
}
fn include_state_in_token_exchange(&self) -> bool {
true
}
}
#[derive(Debug, Clone, Serialize, Deserialize)]
@@ -64,6 +72,8 @@ pub struct OAuthTokens {
pub access_token: String,
pub refresh_token: String,
pub expires_at: i64,
#[serde(default)]
pub account_id: Option<String>,
}
pub async fn run_oauth_flow(provider: &dyn OAuthProvider, client_name: &str) -> Result<()> {
@@ -137,18 +147,17 @@ pub async fn run_oauth_flow(provider: &dyn OAuthProvider, client_name: &str) ->
}
let client = ReqwestClient::new();
let request = build_token_request(
&client,
provider,
&[
("grant_type", "authorization_code"),
("client_id", provider.client_id()),
("code", &code),
("code_verifier", &code_verifier),
("redirect_uri", &redirect_uri),
("state", &state),
],
);
let mut token_params = vec![
("grant_type", "authorization_code"),
("client_id", provider.client_id()),
("code", code.as_str()),
("code_verifier", code_verifier.as_str()),
("redirect_uri", redirect_uri.as_str()),
];
if provider.include_state_in_token_exchange() {
token_params.push(("state", state.as_str()));
}
let request = build_token_request(&client, provider, &token_params);
let response: Value = request.send().await?.json().await?;
@@ -166,10 +175,13 @@ pub async fn run_oauth_flow(provider: &dyn OAuthProvider, client_name: &str) ->
let expires_at = Utc::now().timestamp() + expires_in;
let account_id = provider.extract_account_id(&response);
let tokens = OAuthTokens {
access_token,
refresh_token,
expires_at,
account_id,
};
save_oauth_tokens(client_name, &tokens)?;
@@ -231,10 +243,15 @@ pub async fn refresh_oauth_token(
let expires_at = Utc::now().timestamp() + expires_in;
let account_id = provider
.extract_account_id(&response)
.or_else(|| tokens.account_id.clone());
let new_tokens = OAuthTokens {
access_token,
refresh_token,
expires_at,
account_id,
};
save_oauth_tokens(client_name, &new_tokens)?;
@@ -262,7 +279,12 @@ pub async fn prepare_oauth_access_token(
tokens
};
set_access_token(client_name, tokens.access_token.clone(), tokens.expires_at);
set_access_token(
client_name,
tokens.access_token.clone(),
tokens.expires_at,
tokens.account_id.clone(),
);
Ok(true)
}
@@ -371,6 +393,7 @@ pub fn get_oauth_provider(provider_type: &str) -> Option<Box<dyn OAuthProvider>>
match provider_type {
"claude" => Some(Box::new(super::claude_oauth::ClaudeOAuthProvider)),
"gemini" => Some(Box::new(super::gemini_oauth::GeminiOAuthProvider)),
"openai" => Some(Box::new(super::openai_oauth::OpenAIOAuthProvider)),
_ => None,
}
}
@@ -409,7 +432,11 @@ fn client_config_info(client_config: &ClientConfig) -> (&str, &'static str, Opti
"claude",
c.auth.as_deref(),
),
ClientConfig::OpenAIConfig(c) => (c.name.as_deref().unwrap_or("openai"), "openai", None),
ClientConfig::OpenAIConfig(c) => (
c.name.as_deref().unwrap_or("openai"),
"openai",
c.auth.as_deref(),
),
ClientConfig::OpenAICompatibleConfig(c) => (
c.name.as_deref().unwrap_or("openai-compatible"),
"openai-compatible",
+334 -23
View File
@@ -1,13 +1,17 @@
use super::access_token::{get_access_token, get_access_token_account_id};
use super::oauth::{self, OAuthProvider};
use super::openai_oauth::OpenAIOAuthProvider;
use super::*;
use crate::utils::strip_think_tag;
use anyhow::{Context, Result, bail};
use reqwest::RequestBuilder;
use reqwest::{Client as ReqwestClient, RequestBuilder};
use serde::Deserialize;
use serde_json::{Value, json};
const API_BASE: &str = "https://api.openai.com/v1";
const CODEX_API_ENDPOINT: &str = "https://chatgpt.com/backend-api/codex/responses";
#[derive(Debug, Clone, Deserialize, Default)]
pub struct OpenAIConfig {
@@ -15,6 +19,7 @@ pub struct OpenAIConfig {
pub api_key: Option<String>,
pub api_base: Option<String>,
pub organization_id: Option<String>,
pub auth: Option<String>,
#[serde(default)]
pub models: Vec<ModelData>,
pub patch: Option<RequestPatch>,
@@ -25,36 +30,131 @@ impl OpenAIClient {
config_get_fn!(api_key, get_api_key);
config_get_fn!(api_base, get_api_base);
create_client_config!([("api_key", "API Key", None, true)]);
create_oauth_supported_client_config!();
}
impl_client_trait!(
OpenAIClient,
(
prepare_chat_completions,
openai_chat_completions,
openai_chat_completions_streaming
),
(prepare_embeddings, openai_embeddings),
(noop_prepare_rerank, noop_rerank),
);
#[async_trait::async_trait]
impl Client for OpenAIClient {
client_common_fns!();
fn prepare_chat_completions(
fn supports_oauth(&self) -> bool {
self.config.auth.as_deref() == Some("oauth")
}
async fn chat_completions_inner(
&self,
client: &ReqwestClient,
data: ChatCompletionsData,
) -> Result<ChatCompletionsOutput> {
let uses_codex =
self.config.auth.as_deref() == Some("oauth") && self.get_api_base().is_err();
let request_data = prepare_chat_completions(self, client, data).await?;
let builder = self.request_builder(client, request_data);
if uses_codex {
openai_responses_chat_completions(builder, self.model()).await
} else {
openai_chat_completions(builder, self.model()).await
}
}
async fn chat_completions_streaming_inner(
&self,
client: &ReqwestClient,
handler: &mut SseHandler,
data: ChatCompletionsData,
) -> Result<()> {
let uses_codex =
self.config.auth.as_deref() == Some("oauth") && self.get_api_base().is_err();
let request_data = prepare_chat_completions(self, client, data).await?;
let builder = self.request_builder(client, request_data);
if uses_codex {
openai_responses_streaming(builder, handler).await
} else {
openai_chat_completions_streaming(builder, handler, self.model()).await
}
}
async fn embeddings_inner(
&self,
client: &ReqwestClient,
data: &EmbeddingsData,
) -> Result<EmbeddingsOutput> {
let request_data = prepare_embeddings(self, client, data).await?;
let builder = self.request_builder(client, request_data);
openai_embeddings(builder, self.model()).await
}
async fn rerank_inner(
&self,
client: &ReqwestClient,
data: &RerankData,
) -> Result<RerankOutput> {
let request_data = noop_prepare_rerank(self, data)?;
let builder = self.request_builder(client, request_data);
noop_rerank(builder, self.model()).await
}
}
async fn prepare_chat_completions(
self_: &OpenAIClient,
client: &ReqwestClient,
data: ChatCompletionsData,
) -> Result<RequestData> {
let api_key = self_.get_api_key()?;
let api_base = self_
.get_api_base()
.unwrap_or_else(|_| API_BASE.to_string());
let uses_oauth = self_.config.auth.as_deref() == Some("oauth");
let has_custom_base = self_.get_api_base().is_ok();
let url = format!("{}/chat/completions", api_base.trim_end_matches('/'));
let uses_codex = uses_oauth && !has_custom_base;
let body = openai_build_chat_completions_body(data, &self_.model);
let url = if uses_codex {
CODEX_API_ENDPOINT.to_string()
} else {
let api_base = self_
.get_api_base()
.unwrap_or_else(|_| API_BASE.to_string());
format!("{}/chat/completions", api_base.trim_end_matches('/'))
};
let body = if uses_codex {
openai_build_responses_body(data, &self_.model)
} else {
openai_build_chat_completions_body(data, &self_.model)
};
let mut request_data = RequestData::new(url, body);
request_data.bearer_auth(api_key);
if uses_oauth {
let provider = OpenAIOAuthProvider;
let ready = oauth::prepare_oauth_access_token(client, &provider, self_.name()).await?;
if !ready {
bail!(
"OAuth configured but no tokens found for '{}'. Run: 'coyote --authenticate {}' or '.authenticate' in the REPL",
self_.name(),
self_.name()
);
}
let token = get_access_token(self_.name())?;
request_data.bearer_auth(token);
if let Some(account_id) = get_access_token_account_id(self_.name()) {
request_data.header("ChatGPT-Account-Id", account_id);
}
for (key, value) in provider.extra_request_headers() {
request_data.header(key, value);
}
} else if let Ok(api_key) = self_.get_api_key() {
request_data.bearer_auth(api_key);
} else {
bail!(
"No authentication configured for '{}'. Set `api_key` or use `auth: oauth` with `coyote --authenticate {}`.",
self_.name(),
self_.name()
);
}
if let Some(organization_id) = &self_.config.organization_id {
request_data.header("OpenAI-Organization", organization_id);
}
@@ -62,8 +162,11 @@ fn prepare_chat_completions(
Ok(request_data)
}
fn prepare_embeddings(self_: &OpenAIClient, data: &EmbeddingsData) -> Result<RequestData> {
let api_key = self_.get_api_key()?;
async fn prepare_embeddings(
self_: &OpenAIClient,
client: &ReqwestClient,
data: &EmbeddingsData,
) -> Result<RequestData> {
let api_base = self_
.get_api_base()
.unwrap_or_else(|_| API_BASE.to_string());
@@ -74,7 +177,30 @@ fn prepare_embeddings(self_: &OpenAIClient, data: &EmbeddingsData) -> Result<Req
let mut request_data = RequestData::new(url, body);
request_data.bearer_auth(api_key);
if self_.config.auth.as_deref() == Some("oauth") {
let provider = OpenAIOAuthProvider;
let ready = oauth::prepare_oauth_access_token(client, &provider, self_.name()).await?;
if !ready {
bail!(
"OAuth configured but no tokens found for '{}'. Run: 'coyote --authenticate {}' or '.authenticate' in the REPL",
self_.name(),
self_.name()
);
}
let token = get_access_token(self_.name())?;
request_data.bearer_auth(token);
} else if let Ok(api_key) = self_.get_api_key() {
request_data.bearer_auth(api_key);
} else {
bail!(
"No authentication configured for '{}'. Set `api_key` or use `auth: oauth` with `coyote --authenticate {}`.",
self_.name(),
self_.name()
);
}
if let Some(organization_id) = &self_.config.organization_id {
request_data.header("OpenAI-Organization", organization_id);
}
@@ -402,3 +528,188 @@ fn normalize_function_id(value: &str) -> Option<String> {
Some(value.to_string())
}
}
pub fn openai_build_responses_body(data: ChatCompletionsData, model: &Model) -> Value {
let ChatCompletionsData {
messages,
temperature,
top_p,
functions,
stream,
} = data;
let messages_len = messages.len();
let input: Vec<Value> = messages
.into_iter()
.enumerate()
.flat_map(|(i, message)| {
let Message { role, content } = message;
match content {
MessageContent::ToolCalls(MessageContentToolCalls {
tool_results,
text: _,
sequence: _,
}) => tool_results
.into_iter()
.flat_map(|tool_result| {
vec![
json!({
"type": "function_call",
"call_id": tool_result.call.id,
"name": tool_result.call.name,
"arguments": tool_result.call.arguments.to_string(),
}),
json!({
"type": "function_call_output",
"call_id": tool_result.call.id,
"output": tool_result.output.to_string(),
}),
]
})
.collect(),
MessageContent::Text(text) if role.is_assistant() && i != messages_len - 1 => {
vec![json!({ "role": role, "content": strip_think_tag(&text) })]
}
_ => vec![json!({ "role": role, "content": content })],
}
})
.collect();
let mut body = json!({
"model": &model.real_name(),
"input": input,
"store": false,
});
if let Some(v) = model.max_tokens_param() {
body["max_output_tokens"] = v.into();
}
if let Some(v) = temperature {
body["temperature"] = v.into();
}
if let Some(v) = top_p {
body["top_p"] = v.into();
}
if stream {
body["stream"] = true.into();
}
if let Some(functions) = functions {
body["tools"] = functions
.iter()
.map(|v| {
let mut tool = serde_json::to_value(v).unwrap_or_default();
tool["type"] = "function".into();
tool
})
.collect();
}
body
}
pub async fn openai_responses_chat_completions(
builder: RequestBuilder,
_model: &Model,
) -> Result<ChatCompletionsOutput> {
let res = builder.send().await?;
let status = res.status();
let data: Value = res.json().await?;
if !status.is_success() {
catch_error(&data, status.as_u16())?;
}
debug!("non-stream-data: {data}");
openai_extract_responses(&data)
}
pub fn openai_extract_responses(data: &Value) -> Result<ChatCompletionsOutput> {
let mut text = String::new();
let mut tool_calls = vec![];
if let Some(output) = data["output"].as_array() {
for item in output {
match item["type"].as_str() {
Some("message") => {
if let Some(content) = item["content"].as_array() {
for part in content {
if part["type"].as_str() == Some("output_text")
&& let Some(t) = part["text"].as_str()
{
text.push_str(t);
}
}
}
}
Some("function_call") => {
if let (Some(name), Some(arguments_str), Some(call_id)) = (
item["name"].as_str(),
item["arguments"].as_str(),
item["call_id"].as_str(),
) {
let arguments: Value = arguments_str.parse().with_context(|| {
format!("Tool call '{name}' has non-JSON arguments '{arguments_str}'")
})?;
tool_calls.push(ToolCall::new(
name.to_string(),
arguments,
Some(call_id.to_string()),
));
}
}
_ => {}
}
}
}
if text.is_empty() && tool_calls.is_empty() {
bail!("Invalid response data: {data}");
}
Ok(ChatCompletionsOutput { text, tool_calls })
}
pub async fn openai_responses_streaming(
builder: RequestBuilder,
handler: &mut SseHandler,
) -> Result<()> {
let handle = |message: SseMessage| -> Result<bool> {
if message.data == "[DONE]" {
return Ok(true);
}
let data: Value = serde_json::from_str(&message.data)?;
debug!("stream-data: {data}");
match data["type"].as_str() {
Some("response.output_text.delta") => {
if let Some(delta) = data["delta"].as_str().filter(|v| !v.is_empty()) {
handler.text(delta)?;
}
}
Some("response.output_item.done") => {
let item = &data["item"];
if item["type"].as_str() == Some("function_call")
&& let (Some(name), Some(arguments_str), Some(call_id)) = (
item["name"].as_str(),
item["arguments"].as_str(),
item["call_id"].as_str(),
)
{
let arguments: Value = arguments_str.parse().with_context(|| {
format!("Tool call '{name}' has non-JSON arguments '{arguments_str}'")
})?;
handler.tool_call(ToolCall::new(
name.to_string(),
arguments,
Some(call_id.to_string()),
))?;
}
}
Some("response.completed") => {
return Ok(true);
}
_ => {}
}
Ok(false)
};
sse_stream(builder, handle).await
}
+79
View File
@@ -0,0 +1,79 @@
use super::oauth::{OAuthProvider, TokenRequestFormat};
use base64::Engine;
use base64::engine::general_purpose::URL_SAFE_NO_PAD;
use serde_json::Value;
pub struct OpenAIOAuthProvider;
impl OAuthProvider for OpenAIOAuthProvider {
fn provider_name(&self) -> &str {
"openai"
}
fn client_id(&self) -> &str {
"app_EMoamEEZ73f0CkXaXp7hrann"
}
fn authorize_url(&self) -> &str {
"https://auth.openai.com/oauth/authorize"
}
fn token_url(&self) -> &str {
"https://auth.openai.com/oauth/token"
}
fn redirect_uri(&self) -> &str {
"http://localhost:1455/auth/callback"
}
fn scopes(&self) -> &str {
"openid profile email offline_access"
}
fn token_request_format(&self) -> TokenRequestFormat {
TokenRequestFormat::FormUrlEncoded
}
fn extra_authorize_params(&self) -> Vec<(&str, &str)> {
vec![
("id_token_add_organizations", "true"),
("codex_cli_simplified_flow", "true"),
]
}
fn fixed_redirect_uri(&self) -> Option<String> {
Some("http://localhost:1455/auth/callback".to_string())
}
fn include_state_in_token_exchange(&self) -> bool {
false
}
fn extract_account_id(&self, response: &Value) -> Option<String> {
let id_token = response["id_token"].as_str().unwrap_or_default();
let access_token = response["access_token"].as_str().unwrap_or_default();
extract_account_id_from_jwt(id_token).or_else(|| extract_account_id_from_jwt(access_token))
}
}
fn extract_account_id_from_jwt(token: &str) -> Option<String> {
let parts: Vec<&str> = token.splitn(3, '.').collect();
if parts.len() < 2 {
return None;
}
let decoded = URL_SAFE_NO_PAD.decode(parts[1]).ok()?;
let claims: Value = serde_json::from_slice(&decoded).ok()?;
claims["chatgpt_account_id"]
.as_str()
.map(|s| s.to_string())
.or_else(|| {
claims["https://api.openai.com/auth"]["chatgpt_account_id"]
.as_str()
.map(|s| s.to_string())
})
.or_else(|| {
claims["organizations"][0]["id"]
.as_str()
.map(|s| s.to_string())
})
}
+2 -2
View File
@@ -232,8 +232,8 @@ where
.map(|value| value.to_string());
let is_event_stream = content_type
.as_deref()
.map(|ct| ct.starts_with("text/event-stream"))
.unwrap_or(false);
.map(|ct| ct.is_empty() || ct.starts_with("text/event-stream"))
.unwrap_or(true);
if !is_event_stream {
let header_value = content_type.unwrap_or_default();
let text = res.text().await?;
+1 -1
View File
@@ -483,7 +483,7 @@ pub async fn prepare_gcloud_access_token(
let expires_at = Utc::now()
+ Duration::try_seconds(expires_in)
.ok_or_else(|| anyhow!("Failed to parse expires_in of access_token"))?;
set_access_token(client_name, token, expires_at.timestamp())
set_access_token(client_name, token, expires_at.timestamp(), None)
}
Ok(())
}