Summary
Codex OAuth login drops id_token during token exchange, which can prevent chatgpt_account_id from being persisted in the saved credential. That makes login behavior depend on whether the access token also happens to contain the same claim.
Impact
- Codex login can appear intermittent
- users may be forced to re-login
- login may fail entirely when the account id is only available in
id_token
Root cause
Forge was reducing OAuth token responses down to a smaller structure too early and discarding provider-specific fields like id_token. Codex credential enrichment prefers id_token claims first when deriving chatgpt_account_id.
Proposed fix
Preserve the full OAuth token response during code exchange and Codex device exchange, then enrich the saved credential from id_token when available.
Verification
- cargo fmt --all
- cargo test -p forge_infra --lib
- cargo check -p forge_infra
Summary
Codex OAuth login drops
id_tokenduring token exchange, which can preventchatgpt_account_idfrom being persisted in the saved credential. That makes login behavior depend on whether the access token also happens to contain the same claim.Impact
id_tokenRoot cause
Forge was reducing OAuth token responses down to a smaller structure too early and discarding provider-specific fields like
id_token. Codex credential enrichment prefersid_tokenclaims first when derivingchatgpt_account_id.Proposed fix
Preserve the full OAuth token response during code exchange and Codex device exchange, then enrich the saved credential from
id_tokenwhen available.Verification