Skip to content

feat: Add OAuth credential system with OpenAI Codex support#1

Merged
broomva merged 1 commit intomainfrom
feat/oauth-credentials
Mar 1, 2026
Merged

feat: Add OAuth credential system with OpenAI Codex support#1
broomva merged 1 commit intomainfrom
feat/oauth-credentials

Conversation

@broomva
Copy link
Owner

@broomva broomva commented Mar 1, 2026

Summary

  • Introduces a generic Credential trait abstraction for LLM provider authentication, replacing raw API key strings with pluggable credential types
  • Implements OpenAI Codex OAuth 2.0 flows (PKCE Authorization Code and Device Code) as the first concrete OAuth provider
  • Adds arcan login openai / arcan logout openai CLI commands and updates provider auto-detection to check stored OAuth credentials

Changes

New files

  • crates/arcan-provider/src/credential.rsCredential trait + ApiKeyCredential + AnthropicApiKeyCredential
  • crates/arcan-provider/src/oauth.rsOAuthCredential, token storage (~/.arcan/credentials/), PKCE flow, Device Code flow, token refresh

Modified files

  • crates/arcan-core/src/error.rs — Added CoreError::Auth variant
  • crates/arcan-provider/src/openai.rsOpenAiConfig uses Arc<dyn Credential>, 401 refresh retry
  • crates/arcan-provider/src/anthropic.rsAnthropicConfig uses Arc<dyn Credential>
  • crates/arcan/src/main.rs — Login/Logout CLI commands, OAuth-aware provider selection

Provider selection order

  1. ARCAN_PROVIDER env var (explicit override)
  2. Stored OAuth credentials (~/.arcan/credentials/)
  3. API key env vars (ANTHROPIC_API_KEY, OPENAI_API_KEY)
  4. MockProvider fallback

Test plan

  • cargo fmt — clean
  • cargo clippy --workspace — zero warnings
  • cargo test --workspace — 252 tests pass (+ 1 pre-existing ignored)
  • All existing tests pass with refactored Credential-based configs
  • 24 new tests for credential types, OAuth token lifecycle, PKCE, and token storage
  • Manual: arcan login openai opens browser, completes PKCE flow
  • Manual: arcan login openai --device displays device code, polls until authorized
  • Manual: arcan logout openai removes stored credentials

🤖 Generated with Claude Code

@vercel
Copy link

vercel bot commented Mar 1, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
arcan-web Error Error Mar 1, 2026 5:05am

@broomva broomva force-pushed the feat/oauth-credentials branch from 2f9e0b9 to 92c4a69 Compare March 1, 2026 12:09
@broomva @claude
feat: Add OAuth credential system with OpenAI Codex support
bc4161c 
Introduce a generic Credential trait abstraction for LLM provider
authentication, replacing raw API key strings with pluggable credential
types. Implement OpenAI Codex OAuth 2.0 flows (PKCE and Device Code)
as the first concrete OAuth provider.

- Add Credential trait with auth_header(), refresh(), and needs_refresh()
- Add ApiKeyCredential and AnthropicApiKeyCredential implementations
- Add OAuthCredential with automatic token refresh via RwLock
- Add PKCE Authorization Code flow with local callback server
- Add Device Code flow for headless/SSH environments
- Add token storage to ~/.arcan/credentials/ with 0600 permissions
- Refactor OpenAiConfig and AnthropicConfig to use Arc<dyn Credential>
- Add 401 retry with credential refresh in execute_with_retry
- Add `arcan login openai` and `arcan logout openai` CLI commands
- Update provider auto-detection to check stored OAuth credentials

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@broomva broomva force-pushed the feat/oauth-credentials branch from 92c4a69 to bc4161c Compare March 1, 2026 12:19
@broomva broomva merged commit bbda735 into main Mar 1, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@broomva