Skip to content

Instrument device auth requests with client identity#31649

Open
etraut-openai wants to merge 4 commits into
mainfrom
etraut/instrument-device-auth-client-identity
Open

Instrument device auth requests with client identity#31649
etraut-openai wants to merge 4 commits into
mainfrom
etraut/instrument-device-auth-client-identity

Conversation

@etraut-openai

Copy link
Copy Markdown
Collaborator

Why

Device authorization requests currently omit Codex client identity metadata, which limits detection and investigation of third-party reuse of the device flow. This metadata is telemetry only and remains spoofable; it is not used to authorize or deny requests.

What changed

  • Send the existing originator and Codex User-Agent on both device-auth endpoints.
  • Thread the existing persisted installation ID from CLI and app-server callers and send it as x-codex-installation-id for the trusted issuer path.
  • Preserve app-server client name/version identity suffixes through the existing initialization machinery.
  • Withhold the durable installation ID from custom issuers and leave the final OAuth token exchange unchanged.

Verification

Manually exercised the production device flow with an isolated temporary CODEX_HOME. The user-code endpoint issued a code, token polling continued across multiple intervals without rejecting the added headers, and the flow was cancelled before authorization with no tokens persisted.

Problem: Device authorization requests omitted Codex client identity metadata, limiting detection and investigation of third-party device-flow reuse.

Solution: Send the existing originator, User-Agent, and trusted-path installation ID on both device-auth endpoints while withholding the durable ID from custom issuers. Manually verified production user-code issuance and repeated token polling with an isolated CODEX_HOME, then cancelled before authorization with no tokens persisted.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 57e5d11f52

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread codex-rs/cli/src/login.rs Outdated
Comment thread codex-rs/login/src/device_code_auth.rs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant