feat(auth): adopt OAuth credentials from co-installed CLIs#407
Open
Destynova2 wants to merge 1 commit into
Open
feat(auth): adopt OAuth credentials from co-installed CLIs#407Destynova2 wants to merge 1 commit into
Destynova2 wants to merge 1 commit into
Conversation
grob shares OAuth apps with the Codex CLI (~/.codex/auth.json) and Claude Code (macOS keychain "Claude Code-credentials"). Add `grob connect <provider> --from-system` to mirror an existing token from those sources into grob's encrypted store, avoiding a browser flow when a valid credential already exists locally. With `[auth] adopt_from_system` (default off), the refresh daemon self-heals a revoked token by re-adopting the system credential instead of forcing a manual `connect --force-reauth`. Claude tokens are mirrored read-only (grob never refreshes them) because the keychain item is shared by every Claude Code session and refresh rotates the shared refresh token; Codex tokens become grob-private and are refreshed normally. See ADR-0027. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Lets grob reuse the OAuth token a co-installed CLI already holds, instead of forcing a separate browser flow — and self-heal when its own copy is revoked by refresh-token rotation on the shared account.
grob uses the same OAuth apps as the tools it proxies:
~/.codex/auth.json(OpenAI clientapp_EMoamEEZ73f0CkXaXp7hrann)Claude Code-credentials(Anthropic client9d1c250a-…)Changes
src/auth/system_creds.rs(new):source_for,grob_may_refresh,read_token(Codex JSON + Claude keychain),adopt. Codexexpires_atis decoded from the access-token JWTexp; Claude fromexpiresAt(ms).grob connect <provider> --from-system: mirrors the system token into grob's encrypted store (no browser).[auth] adopt_from_system(defaultfalse): the refresh daemon re-adopts aneeds_reauthtoken and recovers a terminal refresh failure by re-adoption.Refresh ownership (key safety constraint)
Refresh rotates the refresh token, so only one process may refresh a given account:
See ADR-0027.
Tests
system_creds: source mapping, refresh-ownership rule, Codex/Claude payload parsing (incl. JWT exp), missing-field rejection.refresh_daemon: new pureplan_serviceverdicts (skip / refresh codex / adopt claude / heal revoked / no-source fallback).cargo test --lib auth::→ 68 passed; clippy clean.Notes
cargo-denyfails on a pre-existing stale advisory indeny.toml(RUSTSEC-2025-0134matches no crate) — unrelated to this change.🤖 Generated with Claude Code