Conversation
…c OAuth flag Two bugs in the auxiliary provider auto-detection chain: 1. Expired Codex JWT blocks the auto chain: _read_codex_access_token() returned any stored token without checking expiry, preventing fallback to working providers. Now decodes JWT exp claim and returns None for expired tokens. 2. Auxiliary Anthropic client missing OAuth identity transforms: _AnthropicCompletionsAdapter always called build_anthropic_kwargs with is_oauth=False, causing 400 errors for OAuth tokens. Now detects OAuth tokens via _is_oauth_token() and propagates the flag through the adapter chain. Cherry-picked from PR #2378 by 0xbyt4. Fixed test_api_key_no_oauth_flag to mock resolve_anthropic_token directly (env var alone was insufficient).
14 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Salvage of PR #2378 by @0xbyt4, cherry-picked onto current main.
Two bugs fixed:
1. Expired Codex JWT blocks the auxiliary auto chain
_read_codex_access_token()returned expired JWTs without checking expiry, blocking fallback to working providers (Anthropic, Z.AI, etc.). All side tasks (compression, vision, memory flush) would silently fail with 401. Now decodes JWTexpclaim and returnsNonefor expired tokens so the auto chain continues.2. Auxiliary Anthropic client missing OAuth identity transforms
_AnthropicCompletionsAdapteralways calledbuild_anthropic_kwargs(is_oauth=False)regardless of token type. OAuth tokens need Claude Code identity transforms (system prompt prefix, tool name prefixing) — without them, Anthropic's proxy rejects with 400. Now detects OAuth tokens via_is_oauth_token()and propagates through the adapter chain.Follow-up fix
Fixed
test_api_key_no_oauth_flag— original test setANTHROPIC_API_KEYenv var but_try_anthropic()resolves tokens viaresolve_anthropic_token(), which has its own resolution chain. Mockingresolve_anthropic_tokendirectly ensures the test key actually reaches_is_oauth_token().Impact
Only affects users with expired Codex auth + Anthropic OAuth tokens. All other configurations unchanged.
Tests: 76/76 auxiliary client tests passing. 25 pre-existing failures in full suite (redact test ordering issue, present on clean main).
Credit: @0xbyt4 (original author, commit authorship preserved).