Expose browser-login progress phases and durable auth logging#15135
Closed
joshka-oai wants to merge 2 commits intomainfrom
Closed
Expose browser-login progress phases and durable auth logging#15135joshka-oai wants to merge 2 commits intomainfrom
joshka-oai wants to merge 2 commits intomainfrom
Conversation
Add a shared progress and failure model for browser OAuth login, with CLI rendering for user-facing milestones and classified failures. Split token-exchange error handling into a private type that preserves useful transport detail without logging sensitive URL data, and cover the rendered progress and failure text with per-message snapshots. Co-authored-by: Codex <noreply@openai.com>
Add durable tracing for browser-login startup and completion milestones that were previously only visible through the live progress stream. Preserve more provider and token-endpoint failure context in logs while still avoiding raw callback secrets, so support can diagnose failures from codex-login.log without reproducing the flow interactively. Co-authored-by: Codex <noreply@openai.com>
Contributor
Author
|
Closing for another simpler approach on this |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When browser login fails, Codex has historically exposed too little of the flow to make OAuth failures
understandable. Users mostly saw a static startup line and a final generic error, while support had to infer
where the flow broke from sparse logs. That is especially painful for transport/proxy failures around token
exchange, where the OAuth mechanics are already hard to reason about.
What This Delivers
This adds a shared login progress model for the browser OAuth flow, renders a small set of user-facing CLI
milestones, and classifies failures by stage and category so the terminal output is easier to understand.
It also adds durable tracing for the same milestones and preserves more non-secret provider/token-endpoint
context in
codex-login.log.Mental Model
codex-loginowns structured flow state: phase, failure phase, and failure category. The CLI consumes thatstate, prints only the milestones that matter to a user, and suppresses the generic fallback error when a
structured failure was already shown. Token-exchange errors keep the useful lower-level reqwest detail, but
strip the attached URL and log a sanitized endpoint separately.
Non-Goals
This does not migrate the flow to
openidconnect, replacetiny_httpwithaxum, or wire TUI/app-serveronto the progress stream yet.
Tradeoffs
The default user-facing strings now live in the login crate with the flow vocabulary. That makes the CLI path
simple and keeps the snapshot coverage close to the state model, but it does mean
LoginPhasecarries onedefault presentation via
Displayplus a separateis_user_visible()filter.Observability
The callback path still avoids logging raw authorization codes, device codes, tokens, or raw callback query
strings. It does now log provider
error_descriptionand token-endpoint error detail, and it records startupand completion milestones that were previously only visible through the live progress stream.
Tests
cargo test -p codex-logincargo test -p codex-cli --libjust fmtcargo clippy --fix --tests --allow-dirty --allow-no-vcs -p codex-login -p codex-cli