[Auth] Add keyring support for Codex CLI (#5591)

Follow-up PR to #5569. Add Keyring Support for Auth Storage in Codex CLI as well as a hybrid mode (default to persisting in keychain but fall back to file when unavailable.) It also refactors out the keyringstore implementation from rmcp-client [here](https://github.com/openai/codex/blob/main/codex-rs/rmcp-client/src/oauth.rs) to a new keyring-store crate. There will be a follow-up that picks the right credential mode depending on the config, instead of hardcoding `AuthCredentialsStoreMode::File`.
2025-10-27 12:10:11 -07:00
parent 3e50f94d76
commit 0fc295d958
8 changed files with 764 additions and 180 deletions
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -1064,6 +1064,7 @@ dependencies = [
 "codex-async-utils",
 "codex-file-search",
 "codex-git-tooling",
+ "codex-keyring-store",
 "codex-otel",
 "codex-protocol",
 "codex-rmcp-client",
@@ -1082,6 +1083,7 @@ dependencies = [
 "http",
 "image",
 "indexmap 2.10.0",
+ "keyring",
 "landlock",
 "libc",
 "maplit",
@@ -1098,6 +1100,7 @@ dependencies = [
 "serde_json",
 "serial_test",
 "sha1",
+ "sha2",
 "shlex",
 "similar",
 "strum_macros 0.27.2",
@@ -1221,6 +1224,14 @@ dependencies = [
 "walkdir",
 ]

+[[package]]
+name = "codex-keyring-store"
+version = "0.0.0"
+dependencies = [
+ "keyring",
+ "tracing",
+]
+
 [[package]]
 name = "codex-linux-sandbox"
 version = "0.0.0"
@@ -1386,6 +1397,7 @@ version = "0.0.0"
 dependencies = [
 "anyhow",
 "axum",
+ "codex-keyring-store",
 "codex-protocol",
 "dirs",
 "escargot",