fix: add macOS Keychain fallback for Claude Code v2.1.63+ auth#14
Merged
JerrettDavis merged 2 commits intomainfrom Mar 2, 2026
Merged
fix: add macOS Keychain fallback for Claude Code v2.1.63+ auth#14JerrettDavis merged 2 commits intomainfrom
JerrettDavis merged 2 commits intomainfrom
Conversation
Claude Code v2.1.63+ intentionally stores OAuth credentials in the macOS system Keychain (service 'Claude Code-credentials') and deletes ~/.claude/.credentials.json after migration. This caused the connector to report 'Not authenticated' on macOS even when claude login succeeded. The provider now tries the credentials file first (Linux/Windows path), then falls back to reading from the macOS Keychain via the `security` CLI tool when the file is absent. Both the full credentials-file JSON format and the raw OAuth object format are handled. A pluggable `KeychainReader` delegate (internal) allows unit tests to exercise the new code path without requiring a live macOS Keychain. Fixes: JerrettDavis/JD.AI#6
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Test Results182 tests 173 ✅ 3s ⏱️ Results for commit b30146b. ♻️ This comment has been updated with latest results. |
There was a problem hiding this comment.
Pull request overview
Adds a macOS fallback for Claude Code authentication by reading OAuth credentials from the system Keychain when the legacy ~/.claude/.credentials.json file is absent (as of Claude Code v2.1.63+ on macOS).
Changes:
- Add macOS Keychain credential lookup (via
security) as a fallback when the credentials file cannot be loaded. - Introduce an internal, pluggable
KeychainReaderdelegate to enable deterministic unit testing. - Expand unit tests to cover Keychain wrapped/raw formats, invalid data, and precedence over the credentials file.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/JD.SemanticKernel.Connectors.ClaudeCode/ClaudeCodeSessionProvider.cs |
Adds macOS Keychain fallback logic and a default reader implementation using the security CLI. |
tests/JD.SemanticKernel.Connectors.ClaudeCode.Tests/ClaudeCodeSessionProviderTests.cs |
Adds tests for Keychain fallback behavior and updates existing tests to disable Keychain reads when appropriate. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/JD.SemanticKernel.Connectors.ClaudeCode/ClaudeCodeSessionProvider.cs
Outdated
Show resolved
Hide resolved
src/JD.SemanticKernel.Connectors.ClaudeCode/ClaudeCodeSessionProvider.cs
Outdated
Show resolved
Hide resolved
src/JD.SemanticKernel.Connectors.ClaudeCode/ClaudeCodeSessionProvider.cs
Outdated
Show resolved
Hide resolved
Owner
Author
|
@copilot open a new pull request to apply changes based on the comments in this thread |
12 tasks
|
@JerrettDavis I've opened a new pull request, #15, to work on those changes. Once the pull request is ready, I'll request review from you. |
The macOS Keychain fallback was gated by OperatingSystem.IsMacOS() which prevented the injected test KeychainReader from being called on non-macOS CI runners. Track whether the reader was overridden and skip the OS check when a test stub is injected. Apply code review suggestions: - Reword log message from 'Credentials file not found' to 'Credentials unavailable from file' for accuracy - Stop redirecting stderr to avoid potential buffer deadlock - Wire cancellation token to process kill in NETSTANDARD2_0 branch so a Keychain permission prompt cannot hang the caller Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
JerrettDavis
force-pushed
the
fix/macos-keychain-auth-fallback
branch
from
f335a43 to
b30146b
Compare
Code Coverage |
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Claude Code v2.1.63+ intentionally stores OAuth credentials in the macOS system Keychain (service 'Claude Code-credentials') and deletes ~/.claude/.credentials.json after migration. This caused the connector to report 'Not authenticated' on macOS even when claude login succeeded.
The provider now tries the credentials file first (Linux/Windows path), then falls back to reading from the macOS Keychain via the
securityCLI tool when the file is absent. Both the full credentials-file JSON format and the raw OAuth object format are handled.A pluggable
KeychainReaderdelegate (internal) allows unit tests to exercise the new code path without requiring a live macOS Keychain.Fixes: JerrettDavis/JD.AI#6
Description
Related Issue
Type of Change
Checklist
.editorconfig)dotnet test)dotnet build)Testing
Screenshots / Logs