fix: Codex CLI OAuth device flow fails in headless/SSH environments#5
fix: Codex CLI OAuth device flow fails in headless/SSH environments#5PhilippWu wants to merge 1 commit into
Conversation
- agents.sh: validate Codex credentials after writing agent-env; warn with device flow URL when neither CODEX_OPENAI_AUTH_CODE, OPENAI_API_KEY nor GITHUB_TOKEN is set; skip gracefully instead of hanging - main.tf startup_script: exchange CODEX_OPENAI_AUTH_CODE non-interactively via 'codex login --auth-code'; print device flow URL as plain text if no credential is configured at workspace start - cli.py: add info text in Codex auth section explaining headless use and CODEX_OPENAI_AUTH_CODE behaviour before the auth method prompt - oauth-setup.md: add section 6 documenting all three Codex auth paths for headless environments and how the configurator embeds the auth code - validators.py: fix missing function signature for validate_api_key_optional - test_validators.py: add coder_admin_password to _full_config helper Closes #2
There was a problem hiding this comment.
Pull request overview
Fixes Codex CLI authentication behavior during provisioning/workspace startup so headless/SSH deployments don’t hang on interactive OAuth device flow, and documents how to supply a non-interactive auth code.
Changes:
- Add Codex credential presence checks + headless-friendly warnings/URL logging in provisioning and workspace startup.
- Update configurator UX text to explain headless behavior and
CODEX_OPENAI_AUTH_CODE. - Add docs for headless Codex auth paths; fix configurator validator signature + adjust tests.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| dev-server-provision/infra/agents.sh | Sources /etc/dev-server/env, writes agent-env, and logs Codex/OpenCode credential guidance to avoid headless hangs. |
| dev-server-provision/coder/main.tf | Workspace startup script performs Codex non-interactive login when CODEX_OPENAI_AUTH_CODE is present; otherwise prints clear instructions/URL. |
| dev-server-provision/configurator/cli.py | Adds explanatory text before Codex auth method selection to set expectations in headless environments. |
| dev-server-provision/docs/oauth-setup.md | Adds a new section describing Codex CLI auth options in headless/SSH provisioning scenarios. |
| dev-server-provision/configurator/validators.py | Restores missing validate_api_key_optional function definition. |
| dev-server-provision/configurator/tests/test_validators.py | Updates test config fixture to include required coder_admin_password. |
|
|
||
|
|
||
| def validate_api_key_optional(value: str) -> str | bool: | ||
| """Accept empty or any non-whitespace string.""" |
There was a problem hiding this comment.
validate_api_key_optional() currently returns True for any input (including whitespace-only strings), which contradicts its docstring (“Accept empty or any non-whitespace string”) and makes the validator ineffective. Consider stripping the value and returning an error string when value is non-empty but value.strip() is empty, and add a test case for whitespace-only input.
| """Accept empty or any non-whitespace string.""" | |
| """Accept empty or any non-whitespace string.""" | |
| if value == "": | |
| return True | |
| if not value.strip(): | |
| return "API key cannot be whitespace only." |
| ### Path 2 — API key | ||
|
|
||
| Add to `/etc/dev-server/env`: | ||
| ``` | ||
| OPENAI_API_KEY=sk-... | ||
| ``` | ||
|
|
There was a problem hiding this comment.
The instructions in “Path 2 — API key” imply that adding OPENAI_API_KEY to /etc/dev-server/env is sufficient, but workspaces actually read credentials from /etc/dev-server/agent-env (bind-mounted to /run/secrets/agent-env). After editing /etc/dev-server/env, you’ll need to regenerate agent-env (e.g., re-run /opt/dev-server-provision/infra/agents.sh or setup.sh) and restart the workspace for the new key to take effect.
| if [[ "${ENABLE_AGENT_CODEX:-false}" == "true" ]]; then | ||
| if [[ -n "${CODEX_OPENAI_AUTH_CODE:-}" ]]; then | ||
| log "Codex: CODEX_OPENAI_AUTH_CODE is set — workspace startup will complete" | ||
| log " non-interactive authentication via 'codex login --auth-code'." | ||
| elif [[ -n "${OPENAI_API_KEY:-}" ]]; then |
There was a problem hiding this comment.
PR description says infra/agents.sh runs codex login --auth-code non-interactively when CODEX_OPENAI_AUTH_CODE is set, but this script only logs messages and never invokes codex. Either update the PR description to reflect that login happens in the workspace startup script (coder/main.tf), or implement the described behavior here if that was the intent.
Summary
Closes #2
Fixes Codex CLI hanging indefinitely in headless/SSH environments where a browser can't be opened for the OAuth Device Flow.
Changes
infra/agents.shagent-env; ifCODEX_OPENAI_AUTH_CODEis set → runscodex login --auth-codenon-interactively; if no credentials → logs warning with Device Flow URL and skips gracefully instead of hangingcoder/main.tfENABLE_AGENT_CODEX; runscodex login --auth-codewhen auth code is present; logs the Device Flow URL as plain text when no credential is availableconfigurator/cli.pyCODEX_OPENAI_AUTH_CODEdocs/oauth-setup.mdBug fixes (pre-existing)
configurator/validators.py: fixedvalidate_api_key_optional(missing function signature)configurator/tests/test_validators.py: added missingcoder_admin_passwordto_full_config()helper245/245 tests pass.