Skip to content

[connectors] Refresh codex_apps /ps/mcp auth#31486

Open
stevenlee-oai wants to merge 1 commit into
mainfrom
dev/stevenlee/fix-stale-codex-apps-auth
Open

[connectors] Refresh codex_apps /ps/mcp auth#31486
stevenlee-oai wants to merge 1 commit into
mainfrom
dev/stevenlee/fix-stale-codex-apps-auth

Conversation

@stevenlee-oai

@stevenlee-oai stevenlee-oai commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Codex Thread 019f2408-dc59-79f2-b245-4c11debd1a61

Why

Long-lived Codex sessions can outlive the ChatGPT bearer token that was present when the MCP runtime started.

The Responses path already recovers from token expiration by refreshing or reloading the shared AuthManager. The reserved codex_apps hosted-plugin client did not observe that update: McpConnectionManager built its /ps/mcp HTTP auth once from a CodexAuth snapshot, and auth_provider_from_auth copied that snapshot bearer into a static BearerAuthProvider.

After the copied bearer expired, /ps/mcp kept sending it even though Responses had a newer token in the same AuthManager. The failure occurred before downstream connector execution, so unrelated apps such as Gmail, Slack, and Google Calendar could all fail with the same transport-level 401 token_expired.

This replaces openai/codex#29474, which was closed for inactivity without being merged. A new long-lived-session report reproduced the same simultaneous /ps/mcp expiry pattern across unrelated apps.

What changed

  • Add an AuthManager-backed request-header provider in codex-model-provider. It keeps an Arc<AuthManager> and reads auth_cached() for each outbound request, so the next /ps/mcp call sees a token refreshed by the existing Responses/auth-recovery flow.
  • Scope that provider to the startup account, ChatGPT user, and workspace identity. Same-identity token reloads are followed; an account switch emits no ambient auth until account-scoped MCP state is rebuilt.
  • Have McpConnectionManager construct the dynamic provider only for the reserved codex_apps registration used by the hosted-plugin /ps/mcp path.
MCP path Auth behavior after this change
Reserved codex_apps hosted-plugin /ps/mcp Read current same-identity auth from the shared AuthManager per request
codex_apps with CODEX_CONNECTORS_TOKEN Keep the environment bearer-token override
User-configured/direct MCP registrations Keep their existing configured auth path

Non-goals

  • No plugin-service changes.
  • No downstream Slack, Gmail, Calendar, or other connector OAuth/link-refresh changes.
  • No auth UI changes.
  • No behavior change for user-configured/direct MCP registrations.
  • No new /ps/mcp-initiated token refresh; this makes /ps/mcp observe refreshes already performed through the shared AuthManager.

Tests

  • just test -p codex-model-provider
    • Covers same-identity token reloads and refuses a changed startup identity.
  • just test -p codex-mcp
  • just test -p codex-core mcp_auth_refresh
    • Creates the reserved hosted-plugin codex_apps /ps/mcp client before reload, performs a real tools/call after reload, and asserts the request uses the refreshed bearer.

@stevenlee-oai stevenlee-oai requested a review from a team as a code owner July 7, 2026 22:19

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7b6616f512

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/core/src/session/session.rs Outdated
Comment thread codex-rs/core/src/session/session.rs Outdated
@stevenlee-oai stevenlee-oai force-pushed the dev/stevenlee/fix-stale-codex-apps-auth branch 2 times, most recently from 4bb6f8f to f260834 Compare July 7, 2026 23:13
@stevenlee-oai stevenlee-oai changed the title [connectors] Refresh host-owned codex_apps MCP auth [connectors] Refresh codex_apps /ps/mcp auth Jul 7, 2026
@stevenlee-oai stevenlee-oai force-pushed the dev/stevenlee/fix-stale-codex-apps-auth branch from f260834 to 6f097aa Compare July 7, 2026 23:28
Comment thread codex-rs/core/src/session/mcp.rs Outdated
cancellation_token
};
let current_runtime = self.services.latest_mcp_runtime();
let codex_apps_auth_provider = auth.as_ref().and_then(|auth| {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this has been repeated multiple times elsewhere, can we dedupe/simplify?

@mzeng-openai mzeng-openai left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left one small nit

@stevenlee-oai stevenlee-oai force-pushed the dev/stevenlee/fix-stale-codex-apps-auth branch from e1e84d9 to 8a1689a Compare July 8, 2026 01:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants