Files
codex/codex-rs/model-provider/src/auth.rs
T
Celia Chen a803790a10 feat: add opt-in provider runtime abstraction (#17713)
## Summary

- Add `codex-model-provider` as the runtime home for model-provider
behavior that does not belong in `codex-core`, `codex-login`, or
`codex-api`.
- The new crate wraps configured `ModelProviderInfo` in a
`ModelProvider` trait object that can resolve the API provider config,
provider-scoped auth manager, and request auth provider for each call.
- This centralizes provider auth behavior in one place today, and gives
us an extension point for future provider-specific auth, model listing,
request setup, and related runtime behavior.

## Tests
Ran tests manually to make sure that provider auth under different
configs still work as expected.

---------

Co-authored-by: pakrym-oai <pakrym@openai.com>
2026-04-17 02:27:45 +00:00

65 lines
1.9 KiB
Rust

use std::sync::Arc;
use codex_api::SharedAuthProvider;
use codex_login::AuthManager;
use codex_login::CodexAuth;
use codex_model_provider_info::ModelProviderInfo;
use crate::bearer_auth_provider::BearerAuthProvider;
/// Returns the provider-scoped auth manager when this provider uses command-backed auth.
///
/// Providers without custom auth continue using the caller-supplied base manager, when present.
pub(crate) fn auth_manager_for_provider(
auth_manager: Option<Arc<AuthManager>>,
provider: &ModelProviderInfo,
) -> Option<Arc<AuthManager>> {
match provider.auth.clone() {
Some(config) => Some(AuthManager::external_bearer_only(config)),
None => auth_manager,
}
}
fn bearer_auth_provider_from_auth(
auth: Option<&CodexAuth>,
provider: &ModelProviderInfo,
) -> codex_protocol::error::Result<BearerAuthProvider> {
if let Some(api_key) = provider.api_key()? {
return Ok(BearerAuthProvider {
token: Some(api_key),
account_id: None,
is_fedramp_account: false,
});
}
if let Some(token) = provider.experimental_bearer_token.clone() {
return Ok(BearerAuthProvider {
token: Some(token),
account_id: None,
is_fedramp_account: false,
});
}
if let Some(auth) = auth {
let token = auth.get_token()?;
Ok(BearerAuthProvider {
token: Some(token),
account_id: auth.get_account_id(),
is_fedramp_account: auth.is_fedramp_account(),
})
} else {
Ok(BearerAuthProvider {
token: None,
account_id: None,
is_fedramp_account: false,
})
}
}
pub(crate) fn resolve_provider_auth(
auth: Option<&CodexAuth>,
provider: &ModelProviderInfo,
) -> codex_protocol::error::Result<SharedAuthProvider> {
Ok(Arc::new(bearer_auth_provider_from_auth(auth, provider)?))
}