feat: add OAuth authentication support for ChatGPT Plus/Pro accounts

- Add OAuth types and configuration for ChatGPT authentication
- Implement PKCE and state validation helpers for secure OAuth flow
- Create OAuth callback server to handle authorization codes
- Add token exchange functionality to get API keys from OAuth tokens
- Implement SecretStorage manager for ChatGPT credentials
- Update OpenAI provider to support chatgpt auth mode
- Add main authentication manager to orchestrate the OAuth flow

This allows users with ChatGPT Plus/Pro subscriptions to authenticate
using their existing accounts instead of requiring separate API billing.
Compatible with Codex CLI authentication flow.

Fixes #6993

Author: roomote

packages/types/src/index.ts

@@ -12,6 +12,7 @@ export * from "./mcp.js"
 export * from "./message.js"
 export * from "./mode.js"
 export * from "./model.js"
+export * from "./oauth.js"
 export * from "./provider-settings.js"
 export * from "./sharing.js"
 export * from "./task.js"

packages/types/src/oauth.ts

@@ -0,0 +1,86 @@
+import { z } from "zod"
+
+/**
+ * OAuth configuration for ChatGPT authentication
+ */
+export const CHATGPT_OAUTH_CONFIG = {
+	clientId: "app_EMoamEEZ73f0CkXaXp7hrann", // Codex CLI client ID for compatibility
+	authorizationUrl: "https://auth.openai.com/oauth/authorize",
+	tokenUrl: "https://auth.openai.com/oauth/token",
+	redirectUri: "http://localhost:1455/auth/callback",
+	defaultPort: 1455,
+	scopes: ["openid", "profile", "email", "offline_access"],
+} as const
+
+/**
+ * OAuth tokens structure
+ */
+export const oauthTokensSchema = z.object({
+	accessToken: z.string(),
+	idToken: z.string(),
+	refreshToken: z.string(),
+	expiresIn: z.number().optional(),
+	tokenType: z.string().optional(),
+})
+
+export type OAuthTokens = z.infer<typeof oauthTokensSchema>
+
+/**
+ * ChatGPT credentials stored in SecretStorage
+ */
+export const chatGptCredentialsSchema = z.object({
+	apiKey: z.string().optional(), // Exchanged API key
+	idToken: z.string(),
+	refreshToken: z.string(),
+	lastRefreshIso: z.string().optional(),
+	responseId: z.string().optional(), // For conversation continuity
+})
+
+export type ChatGptCredentials = z.infer<typeof chatGptCredentialsSchema>
+
+/**
+ * Codex CLI auth.json structure for import
+ */
+export const codexAuthJsonSchema = z.object({
+	OPENAI_API_KEY: z.string().optional(),
+	tokens: z
+		.object({
+			id_token: z.string(),
+			access_token: z.string().optional(),
+			refresh_token: z.string().optional(),
+		})
+		.optional(),
+	last_refresh: z.string().optional(),
+})
+
+export type CodexAuthJson = z.infer<typeof codexAuthJsonSchema>
+
+/**
+ * OAuth state for CSRF protection
+ */
+export interface OAuthState {
+	state: string
+	codeVerifier: string
+	timestamp: number
+}
+
+/**
+ * Token exchange request for getting API key from OAuth tokens
+ */
+export interface TokenExchangeRequest {
+	grant_type: "urn:ietf:params:oauth:grant-type:token-exchange"
+	requested_token_type: "openai-api-key"
+	subject_token: string // ID token
+	subject_token_type: "urn:ietf:params:oauth:token-type:id_token"
+	client_id: string
+}
+
+/**
+ * OAuth error response
+ */
+export const oauthErrorSchema = z.object({
+	error: z.string(),
+	error_description: z.string().optional(),
+})
+
+export type OAuthError = z.infer<typeof oauthErrorSchema>

packages/types/src/provider-settings.ts

@@ -155,6 +155,7 @@ const openAiSchema = baseProviderSettingsSchema.extend({
 	openAiStreamingEnabled: z.boolean().optional(),
 	openAiHostHeader: z.string().optional(), // Keep temporarily for backward compatibility during migration.
 	openAiHeaders: z.record(z.string(), z.string()).optional(),
+	openAiAuthMode: z.enum(["apiKey", "chatgpt"]).optional(), // New: Authentication mode
 })
 
 const ollamaSchema = baseProviderSettingsSchema.extend({

src/api/providers/openai.ts

@@ -29,17 +29,47 @@ import type { SingleCompletionHandler, ApiHandlerCreateMessageMetadata } from ".
 // compatible with the OpenAI API. We can also rename it to `OpenAIHandler`.
 export class OpenAiHandler extends BaseProvider implements SingleCompletionHandler {
 	protected options: ApiHandlerOptions
-	private client: OpenAI
+	private client!: OpenAI // Using definite assignment assertion since we initialize it
+	private apiKeyPromise?: Promise<string>
 
 	constructor(options: ApiHandlerOptions) {
 		super()
 		this.options = options
 
+		// Initialize the client asynchronously if using ChatGPT auth
+		if (this.options.openAiAuthMode === "chatgpt") {
+			this.apiKeyPromise = this.getApiKeyFromChatGpt()
+			this.apiKeyPromise
+				.then((apiKey) => {
+					this.initializeClient(apiKey)
+				})
+				.catch((error) => {
+					console.error("Failed to get API key from ChatGPT:", error)
+				})
+		} else {
+			// Initialize immediately for regular API key mode
+			this.initializeClient(this.options.openAiApiKey ?? "not-provided")
+		}
+	}
+
+	private async getApiKeyFromChatGpt(): Promise<string> {
+		// Lazy import to avoid circular dependencies
+		const { getCredentialsManager } = await import("../../core/auth/chatgpt-credentials-manager")
+		const credentialsManager = getCredentialsManager()
+		const apiKey = await credentialsManager.getApiKey()
+
+		if (!apiKey) {
+			throw new Error("No API key found for ChatGPT authentication. Please sign in with your ChatGPT account.")
+		}
+
+		return apiKey
+	}
+
+	private initializeClient(apiKey: string): void {
 		const baseURL = this.options.openAiBaseUrl ?? "https://api.openai.com/v1"
-		const apiKey = this.options.openAiApiKey ?? "not-provided"
 		const isAzureAiInference = this._isAzureAiInference(this.options.openAiBaseUrl)
 		const urlHost = this._getUrlHost(this.options.openAiBaseUrl)
-		const isAzureOpenAi = urlHost === "azure.com" || urlHost.endsWith(".azure.com") || options.openAiUseAzure
+		const isAzureOpenAi = urlHost === "azure.com" || urlHost.endsWith(".azure.com") || this.options.openAiUseAzure
 
 		const headers = {
 			...DEFAULT_HEADERS,
@@ -77,6 +107,14 @@ export class OpenAiHandler extends BaseProvider implements SingleCompletionHandl
 		messages: Anthropic.Messages.MessageParam[],
 		metadata?: ApiHandlerCreateMessageMetadata,
 	): ApiStream {
+		// Ensure client is initialized for ChatGPT auth mode
+		if (this.apiKeyPromise) {
+			await this.apiKeyPromise
+		}
+
+		if (!this.client) {
+			throw new Error("OpenAI client not initialized")
+		}
 		const { info: modelInfo, reasoning } = this.getModel()
 		const modelUrl = this.options.openAiBaseUrl ?? ""
 		const modelId = this.options.openAiModelId ?? ""
@@ -256,6 +294,14 @@ export class OpenAiHandler extends BaseProvider implements SingleCompletionHandl
 
 	async completePrompt(prompt: string): Promise<string> {
 		try {
+			// Ensure client is initialized for ChatGPT auth mode
+			if (this.apiKeyPromise) {
+				await this.apiKeyPromise
+			}
+
+			if (!this.client) {
+				throw new Error("OpenAI client not initialized")
+			}
 			const isAzureAiInference = this._isAzureAiInference(this.options.openAiBaseUrl)
 			const model = this.getModel()
 			const modelInfo = model.info