Include originator in authentication URL parameters (#3117)

Associates the client with an authentication session.
2025-09-03 16:51:00 -07:00
parent ed0d23d560
commit e83c5f429c
7 changed files with 44 additions and 18 deletions
--- a/codex-rs/login/src/server.rs
+++ b/codex-rs/login/src/server.rs
@@ -30,10 +30,11 @@ pub struct ServerOptions {
    pub port: u16,
    pub open_browser: bool,
    pub force_state: Option<String>,
+    pub originator: String,
 }

 impl ServerOptions {
-    pub fn new(codex_home: PathBuf, client_id: String) -> Self {
+    pub fn new(codex_home: PathBuf, client_id: String, originator: String) -> Self {
        Self {
            codex_home,
            client_id: client_id.to_string(),
@@ -41,6 +42,7 @@ impl ServerOptions {
            port: DEFAULT_PORT,
            open_browser: true,
            force_state: None,
+            originator,
        }
    }
 }
@@ -96,7 +98,14 @@ pub fn run_login_server(opts: ServerOptions) -> io::Result<LoginServer> {
    let server = Arc::new(server);

    let redirect_uri = format!("http://localhost:{actual_port}/auth/callback");
-    let auth_url = build_authorize_url(&opts.issuer, &opts.client_id, &redirect_uri, &pkce, &state);
+    let auth_url = build_authorize_url(
+        &opts.issuer,
+        &opts.client_id,
+        &redirect_uri,
+        &pkce,
+        &state,
+        &opts.originator,
+    );

    if opts.open_browser {
        let _ = webbrowser::open(&auth_url);
@@ -279,6 +288,7 @@ fn build_authorize_url(
    redirect_uri: &str,
    pkce: &PkceCodes,
    state: &str,
+    originator: &str,
 ) -> String {
    let query = vec![
        ("response_type", "code"),
@@ -290,6 +300,7 @@ fn build_authorize_url(
        ("id_token_add_organizations", "true"),
        ("codex_cli_simplified_flow", "true"),
        ("state", state),
+        ("originator", originator),
    ];
    let qs = query
        .into_iter()
--- a/codex-rs/login/tests/suite/login_server_e2e.rs
+++ b/codex-rs/login/tests/suite/login_server_e2e.rs
@@ -100,6 +100,7 @@ async fn end_to_end_login_flow_persists_auth_json() {
        port: 0,
        open_browser: false,
        force_state: Some(state),
+        originator: "test_originator".to_string(),
    };
    let server = run_login_server(opts).unwrap();
    let login_port = server.actual_port;
@@ -158,6 +159,7 @@ async fn creates_missing_codex_home_dir() {
        port: 0,
        open_browser: false,
        force_state: Some(state),
+        originator: "test_originator".to_string(),
    };
    let server = run_login_server(opts).unwrap();
    let login_port = server.actual_port;