bug: codex signin with chatgpt doesnt work out of the box #440
Description
Agent Diagnostic
What The Issue Actually Is
This was not one single bug. It was a missing support path in OpenShell for a specific Codex auth flow:
- openshell sandbox create -- codex
- no OPENAI_API_KEY is available locally
- Codex falls back to browser-based ChatGPT login
- that login needs:
- a localhost callback on port 1455
- outbound HTTPS access to OpenAI auth endpoints from inside the sandbox
OpenShell handled neither of those automatically for Codex.
What I Found
In the repo, the Codex provider only supports the API-key path. It discovers OPENAI_API_KEY and injects it, but it does not model ChatGPT browser auth at all. See OpenShell/
crates/openshell-providers/src/providers/codex.rs.
That led to two concrete failures:
- First failure: browser callback broke.
- Codex inside the sandbox redirected the host browser to http://localhost:1455/...
- the callback server was listening inside the sandbox, not on the host
- OpenShell had not forwarded port 1455
- result: ERR_CONNECTION_REFUSED
- Second failure: token exchange broke.
- after manually forwarding 1455, the callback reached Codex
- then Codex tried to call https://auth.openai.com/oauth/token
- the sandbox policy did not allow Codex’s outbound OpenAI traffic
- result: token_exchange_failed
So the real issue is: OpenShell supported “Codex with provider-backed OPENAI_API_KEY”, but not “Codex launched in a sandbox, then authenticated interactively via ChatGPT browser
login”.
Why The Repo Behaved This Way
OpenShell’s policy system is binary-path + endpoint based. If the running binary and host are not allowed, the request is denied. That is expected behavior.
The gap was in sandbox create:
- it inferred codex
- it tried provider auto-creation
- if no local API key existed, it basically just let Codex start
- but it did not prepare the runtime for browser auth
That made the docs a little misleading: “configure it from inside the sandbox” was technically true, but incomplete for the ChatGPT login path.
Description
trying to sign in with chatgpt oauth doesnt work since there the networking configuration doesnt support it currently.
the issue can be solved manually by doing port forward to 1455 and adding the following policy:
version: 1
network_policies:
codex_openai_auth:
name: codex-openai-auth
endpoints:
- host: auth.openai.com
port: 443
- host: api.openai.com
port: 443
binaries:
- path: /usr/local/bin/codex
- path: /usr/bin/node
my agent is also able to solve it but I wont assume I know how you guys want to approach the solution here since it might be relevant for other providers as well. or maybe you dont want to solve it and its that way by design.
either way, I think the investigation i've provided here should be good enough for any future changes if needed.
cheers
Reproduction Steps
- run
openshell sandbox create -- codex - choose sign in with chatgpt
- put onetime password
- redirect fails
Environment
- OS: Mac 15.7.4
Logs
Agent-First Checklist
- I pointed my agent at the repo and had it investigate this issue
- I loaded relevant skills (e.g.,
debug-openshell-cluster,debug-inference,openshell-cli) - My agent could not resolve this — the diagnostic above explains why