feat(llm): Add subscription-based authentication for OpenAI Codex models #1682
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implement OAuth PKCE flow for authenticating with OpenAI's ChatGPT service, allowing users with ChatGPT Plus/Pro subscriptions to use Codex models (gpt-5.2-codex, gpt-5.2, gpt-5.1-codex-max, gpt-5.1-codex-mini) without consuming API credits. Key features: - OAuth PKCE flow with local callback server for secure authentication - Credential storage with automatic token refresh - LLM.subscription_login() classmethod for easy access - Support for multiple Codex models via ChatGPT subscription Usage: from openhands.sdk import LLM llm = LLM.subscription_login(model='gpt-5.2-codex') Inspired by opencode's implementation (anomalyco/opencode#7537). Co-authored-by: openhands <[email protected]>
Contributor
Coverage Report •
|
||||||||||||||||||||||||||||||
- Use authlib for PKCE generation (generate_token, create_s256_code_challenge) - Use aiohttp.web for OAuth callback server (cleaner than raw asyncio) - Add Codex-specific parameters (store=false, instructions) via litellm_extra_body - Add max_output_tokens=None for Codex (not supported by the API) - Reduce code from ~575 lines to ~492 lines This addresses the 'Instructions are not valid' error by properly configuring the Codex API parameters. Co-authored-by: openhands <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements OAuth PKCE flow for authenticating with OpenAI's ChatGPT service, allowing users with ChatGPT Plus/Pro subscriptions to use Codex models without consuming API credits.
Key features:
~/.local/share/openhands/auth/)LLM.subscription_login()classmethod for easy accessgpt-5.2-codexgpt-5.2gpt-5.1-codex-maxgpt-5.1-codex-miniUsage:
Implementation inspired by: opencode's implementation
New modules:
openhands/sdk/llm/auth/__init__.py- Auth module exportsopenhands/sdk/llm/auth/credentials.py- Credential storage and retrievalopenhands/sdk/llm/auth/openai.py- OpenAI OAuth PKCE flow implementationChecklist
Note: This feature requires a ChatGPT Plus/Pro subscription to test the actual OAuth flow. The unit tests cover the credential storage, PKCE generation, URL building, and mock token refresh scenarios.
@xingyaoww can click here to continue refining the PR
Agent Server images for this PR
• GHCR package: https://github.com/OpenHands/agent-sdk/pkgs/container/agent-server
Variants & Base Images
eclipse-temurin:17-jdknikolaik/python-nodejs:python3.12-nodejs22golang:1.21-bookwormPull (multi-arch manifest)
# Each variant is a multi-arch manifest supporting both amd64 and arm64 docker pull ghcr.io/openhands/agent-server:8f60e00-pythonRun
All tags pushed for this build
About Multi-Architecture Support
8f60e00-python) is a multi-arch manifest supporting both amd64 and arm648f60e00-python-amd64) are also available if needed