codex login didn't support ChatGPT SSO

[kamontat]

What version of Codex is running?

codex-cli 0.47.0

What subscription do you have?

Business Plan

Which model were you using?

not related

What platform is your computer?

Darwin 25.0.0 arm64 arm

What issue are you seeing?

codex login didn't works as expected when "Enforce SSO log in" on ChatGPT account.

What steps can reproduce the bug?

1. Login to ChatGPT account where SSO is enabled and enforce
2. Try run codex exec "hello"
3. Got exceeded retry limit, last status: 401 Unauthorized, request id: 99305b0bedfb45b1-BKK

What is the expected behavior?

Able to login successfully and chat with codex.

Additional information

The workaround I found is...

1. run codex then run /logout
2. run codex again and login when it prompt
3. this will works until exit codex tui

I did some investigating on token and found that the jwt token created on first login, contains sso_connection_id field as well as sub fields having saml format. HOWEVER, on subsequence token missing sso_connection_id and sub fields having auth0 instead.

On first login

On subsequence execute

I also check network, and saw that openai return below error, when token missing sso_connection_id.

{
  "detail": {
    "code": "require_sso_login",
    "account_name": "<account-name>"
  }
}

[pakrym-oai]

Thank you for the report, we are looking into it!

[pakrym-oai]

Can you run /feedback after getting a 401 error? That will share a bit more information that's helpful for debugging.

[melsharnou-chwy]

I also have a problem with SSO, I use codex login, it opens the home page, I put the company email, it redirects to Okta then shows this error.

The Okta login works fine for the ChatGPT website but not for codex cli

An error occurred during authentication. Please try again.
You can contact us through our help center at [help.openai.com](https://help.openai.com/) if you keep seeing this error. (Please include the request ID bc190af84420a4b63c32d4120952c03d in your email.)

[pakrym-oai]

@kamontat can you try deleting ~/.codex/auth.json, doing login and seeing whether it works across codex sessions?

[kamontat]

@pakrym-oai tried, several times, but no luck.

Here is the detailed steps with /feedback as you requested:

1. Delete ~/.codex/auth.json file
2. Run codex, then login using okta
3. enter prompt hello
4. run /feedback
5. Thread ID: 019a167c-9f53-7960-9f75-e36cfcc449ee
6. THEN... exit codex tui
7. run codex again
8. enter prompt hello
9. GOT exceeded retry limit, last status: 401 Unauthorized, request id: ***
10. Thread ID: 019a167d-bf89-7e03-b035-89a0209ee37e

I also notice that some time after first login, the token in auth.json got refreshed to invalid one (the one without sso_connection_id) even though the token is still valid.

I would love to help contributing and help fixes the issue.

[pakrym-oai]

@kamontat I'd love your help! Can you try to debug why the token refresh is triggered? See CodexAuth.refresh_token

[kamontat]

@pakrym-oai I'm no longer able to reproduce the premature refresh token today, so I need to wait for token to expire. As my suspect is on refresh flow.

[etraut-openai]

Closing old bugs.