feat(app-server): support external auth mode

[owenlin0]

This enables a new use case where codex app-server is embedded into a parent application that will directly own the user's ChatGPT auth lifecycle, which means it owns the user’s auth tokens and refreshes it when necessary. The parent application would just want a way to pass in the auth tokens for codex to use directly.

The idea is that we are introducing a new "auth mode" currently only exposed via app server: chatgptAuthTokens which consist of the id_token (stores account metadata) and access_token (the bearer token used directly for backend API calls). These auth tokens are only stored in-memory. This new mode is in addition to the existing apiKey and chatgpt auth modes.

This PR reuses the shape of our existing app-server account APIs as much as possible:

• Update account/login/start with a new chatgptAuthTokens variant, which will allow the client to pass in the tokens and have codex app-server use them directly. Upon success, the server emits account/login/completed and account/updated notifications.
• A new server->client request called account/chatgptAuthTokens/refresh which the server can use whenever the access token previously passed in has expired and it needs a new one from the parent application.

I leveraged the core 401 retry loop which typically triggers auth token refreshes automatically, but made it pluggable:

• chatgpt mode refreshes internally, as usual.
• chatgptAuthTokens mode calls the client via account/chatgptAuthTokens/refresh, the client responds with updated tokens, codex updates its in-memory auth, then retries. This RPC has a 10s timeout and handles JSON-RPC errors from the client.

Also some additional things:

• chatgpt logins are blocked while external auth is active (have to log out first. typically clients will pick one OR the other, not support both)
• account/logout clears external auth in memory
• Ensures that if forced_chatgpt_workspace_id is set via the user's config, we respect it in both:
  • account/login/start with chatgptAuthTokens (returns a JSON-RPC error back to the client)
  • account/chatgptAuthTokens/refresh (fails the turn, and on next request app-server will send another account/chatgptAuthTokens/refresh request to the client).

[owenlin0]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1d8e3f6349

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[owenlin0]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 066d53b68e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[owenlin0]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1437b502f5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[owenlin0]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Nice work!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[owenlin0]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ef1bc6bb68

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[owenlin0]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 89629234c1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[owenlin0]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 083c2f1d87

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[owenlin0]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. What shall we delve into next?

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[celia-oai]

chatted offline, we'll hide the ephemeral logic in storage.rs so it's abstracted away from auth.rs.

[owenlin0]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Keep it up!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[owenlin0]

@codex review

[celia-oai]

the code lgtm, can we also test out that there's no regression & test out the new endpoints (log in, refresh) in a local build end-to-end?

[owenlin0]

@celia-oai yep, tested this build locally as well

[bolinfest]

I think we need some documentation that declares the intent behind this AuthMode. Does it represent:

1. the default Responses endpoint to use for the "openai" provider:

codex/codex-rs/core/src/model_provider_info.rs

Lines 140 to 144 in b79bf69

	let default_base_url = if matches!(auth_mode, Some(AuthMode::ChatGPT)) {
	"https://chatgpt.com/backend-api/codex"
	} else {
	"https://api.openai.com/v1"
	};

2. features to show in the TUI (if there are any that are specific to ChatGPT users)?
3. how to get an auth token?

To me, it feels like AuthMode should specify 1 and 2, but CodexAuth should specify 3.

[bolinfest]

This is maybe OK for now, but ultimately, I think we should be focused on pulling the auth tokens out of the app server rather than pushing them in. That is, I would rather see a new CodexAuth variant like EndpointProvidedAuth that means "rely on the endpoint to ensure HTTP requests are authenticated" that could be applicable to either AuthMode::ApiKey or AuthMode::ChatGPT.