Skip to content

fix(auth): support openai-codex login flow and surface OAuth failures#15406

Closed
mbelinky wants to merge 3 commits intomainfrom
landing/codex-spark
Closed

fix(auth): support openai-codex login flow and surface OAuth failures#15406
mbelinky wants to merge 3 commits intomainfrom
landing/codex-spark

Conversation

@mbelinky
Copy link
Contributor

@mbelinky mbelinky commented Feb 13, 2026
edited by greptile-apps bot
Loading

Summary

  • add a shared loginOpenAICodexOAuth helper for OpenAI Codex OAuth flow handling
  • use the helper in onboarding auth-choice so OAuth failures are surfaced instead of silently swallowed
  • support openclaw models auth login --provider openai-codex directly
  • add focused tests for the new OAuth helper behavior

Why

#14552 reported a real issue around Codex auth flow behavior. This keeps the fix scope small and uses current main architecture.

Testing

  • bunx vitest run src/commands/openai-codex-oauth.test.ts
  • bunx vitest run src/commands/auth-choice.test.ts
  • pnpm build

Thanks @zhiluo20 for the original report and patch direction in #14552.

Greptile Overview

Greptile Summary

This PR factors the OpenAI Codex OAuth login flow into a shared loginOpenAICodexOAuth helper, reuses it in the onboarding auth-choice flow, and adds support for openclaw models auth login --provider openai-codex with optional default-model setting. It also adds focused tests covering the helper’s success and error behavior.

The main behavioral change is that Codex OAuth failures are now surfaced via the shared helper (spinner stop + runtime.error + help note), but the helper currently rethrows, which affects how the onboarding wizard handles failures.

Confidence Score: 3/5

  • This PR is close to safe to merge, but there is a wizard-breaking error-propagation change on Codex OAuth failures.
  • Core refactor is small and tests cover the new helper, but the onboarding path now allows OAuth exceptions to bubble out (helper rethrows and caller no longer catches), which can terminate interactive flows unexpectedly.
  • src/commands/auth-choice.apply.openai.ts; src/commands/openai-codex-oauth.ts

Last reviewed commit: 2e53973

@openclaw-barnacle openclaw-barnacle bot added commands Command implementations size: M maintainer Maintainer-authored PR labels Feb 13, 2026
@mbelinky mbelinky mentioned this pull request Feb 13, 2026
Closed
greptile-apps[bot]
greptile-apps bot reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

src/commands/auth-choice.apply.openai.ts Outdated
Comment on lines 127 to 133
const creds = await loginOpenAICodexOAuth({
prompter: params.prompter,
runtime: params.runtime,
isRemote: isRemoteEnvironment(),
openUrl,
localBrowserMessage: "Complete sign-in in browser…",
});
Copy link
Contributor

@greptile-apps greptile-apps bot Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unhandled OAuth exception

loginOpenAICodexOAuth catches OAuth failures, logs/shows a help note, and then rethrows (src/commands/openai-codex-oauth.ts:49-54). In the onboarding wizard path here there’s no try/catch anymore, so an OAuth failure will bubble up through applyAuthChoice and ultimately crash the wizard (e.g. agents.commands.add.ts:360-366 rethrows non-cancel errors). Previously this branch swallowed the error and returned the unchanged config. Consider restoring a local try/catch here (or changing the helper to not rethrow for wizard usage) so OAuth failures are surfaced without terminating the flow.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: src/commands/auth-choice.apply.openai.ts
Line: 127:133

Comment:
**Unhandled OAuth exception**

`loginOpenAICodexOAuth` catches OAuth failures, logs/shows a help note, and then *rethrows* (`src/commands/openai-codex-oauth.ts:49-54`). In the onboarding wizard path here there’s no try/catch anymore, so an OAuth failure will bubble up through `applyAuthChoice` and ultimately crash the wizard (e.g. `agents.commands.add.ts:360-366` rethrows non-cancel errors). Previously this branch swallowed the error and returned the unchanged config. Consider restoring a local try/catch here (or changing the helper to not rethrow for wizard usage) so OAuth failures are surfaced without terminating the flow.

How can I resolve this? If you propose a fix, please make it concise.

mbelinky added a commit that referenced this pull request Feb 13, 2026
@mbelinky
Auth: land codex oauth onboarding flow (#15406)
86e4fe0
@mbelinky
Copy link
Contributor Author

mbelinky commented Feb 13, 2026

Landed manually via maintainer flow.

What we did:

  • Squashed landing/codex-spark onto latest main in an integration branch.
  • Resolved the CHANGELOG.md conflict by keeping both existing unreleased entries and the fix(auth): support openai-codex login flow and surface OAuth failures #15406 entry.
  • Ran local validation for touched auth paths:
    • pnpm exec vitest run --config vitest.e2e.config.ts src/commands/auth-choice.e2e.test.ts
    • pnpm exec vitest run src/commands/openai-codex-oauth.test.ts
  • Fast-forward merged to main and pushed.

Traceability:

  • PR head commits: 2e53973d6aa5, f78742e7db63, 3cc758f930d3
  • Landed on main: 86e4fe0a7

@mbelinky mbelinky closed this Feb 13, 2026
@mbelinky mbelinky deleted the landing/codex-spark branch February 13, 2026 17:19
electricpen added a commit to electricpen/moltbot that referenced this pull request Feb 13, 2026
@electricpen @claude
Merge upstream openclaw (e84318e)
5f3a184 
Merged upstream changes while preserving custom security patches:
- WebSocket origin validation (browser-as-proxy mitigation)
- Injection scan configuration initialization
- isLoopbackAddress helper for origin checks

Notable upstream changes:
- Block private/loopback/metadata IPs in link-understanding (openclaw#15604)
- OAuth onboarding flow for Codex (openclaw#15406)
- Discord guild ID misroute fix
- Performance improvements (lockfile, abort handling)
- Many Windows compatibility fixes

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@github-actions github-actions bot mentioned this pull request Feb 13, 2026
Open
zhangyang-crazy-one pushed a commit to zhangyang-crazy-one/openclaw that referenced this pull request Feb 13, 2026
@mbelinky
Auth: land codex oauth onboarding flow (openclaw#15406)
df95a67
steipete pushed a commit to azade-c/openclaw that referenced this pull request Feb 14, 2026
@mbelinky @steipete
Auth: land codex oauth onboarding flow (openclaw#15406)
a4a201e
@nickytonline nickytonline mentioned this pull request Feb 14, 2026
Closed
GwonHyeok pushed a commit to learners-superpumped/openclaw that referenced this pull request Feb 15, 2026
@mbelinky @GwonHyeok
Auth: land codex oauth onboarding flow (openclaw#15406)
5f6693f
cloud-neutral pushed a commit to cloud-neutral-toolkit/openclawbot.svc.plus that referenced this pull request Feb 15, 2026
@mbelinky
Auth: land codex oauth onboarding flow (openclaw#15406)
b1a2f55
jiulingyun added a commit to jiulingyun/openclaw-cn that referenced this pull request Feb 15, 2026
@jiulingyun
feat: land codex oauth onboarding flow (openclaw#15406) (upstream 86e…
e4810f5 
…4fe0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

commands Command implementations maintainer Maintainer-authored PR size: M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mbelinky

Comments