openai
diff --git a/‎codex-rs/app-server/src/codex_message_processor.rs‎
Lines changed: 3 additions & 3 deletions b/‎codex-rs/app-server/src/codex_message_processor.rs‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎codex-rs/app-server/src/message_processor.rs‎
Lines changed: 5 additions & 5 deletions b/‎codex-rs/app-server/src/message_processor.rs‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎codex-rs/login/src/auth/auth_tests.rs‎
Lines changed: 176 additions & 0 deletions b/‎codex-rs/login/src/auth/auth_tests.rs‎
Lines changed: 176 additions & 0 deletions
@@ -1015,7 +1015,7 @@ impl CodexMessageProcessor {
         &mut self,
         params: &LoginApiKeyParams,
     ) -> std::result::Result<(), JSONRPCErrorError> {
-        if self.auth_manager.is_external_auth_active() {
+        if self.auth_manager.is_external_chatgpt_auth_active() {
             return Err(self.external_auth_active_error());
         }
 
@@ -1094,7 +1094,7 @@ impl CodexMessageProcessor {
     ) -> std::result::Result<LoginServerOptions, JSONRPCErrorError> {
         let config = self.config.as_ref();
 
-        if self.auth_manager.is_external_auth_active() {
+        if self.auth_manager.is_external_chatgpt_auth_active() {
             return Err(self.external_auth_active_error());
         }
 
@@ -1531,7 +1531,7 @@ impl CodexMessageProcessor {
     }
 
     async fn refresh_token_if_requested(&self, do_refresh: bool) -> RefreshTokenRequestOutcome {
-        if self.auth_manager.is_external_auth_active() {
+        if self.auth_manager.is_external_chatgpt_auth_active() {
             return RefreshTokenRequestOutcome::NotAttemptedOrSucceeded;
         }
         if do_refresh && let Err(err) = self.auth_manager.refresh_token().await {
 
@@ -206,10 +206,13 @@ impl MessageProcessor {
             session_source,
             enable_codex_api_key_env,
         } = args;
-        let auth_manager = AuthManager::shared(
+        let auth_manager = AuthManager::shared_with_external_chatgpt_auth_refresher(
             config.codex_home.clone(),
             enable_codex_api_key_env,
             config.cli_auth_credentials_store_mode,
+            Arc::new(ExternalAuthRefreshBridge {
+                outgoing: outgoing.clone(),
+            }),
         );
         let thread_manager = Arc::new(ThreadManager::new(
             config.as_ref(),
@@ -223,9 +226,6 @@ impl MessageProcessor {
             environment_manager,
         ));
         auth_manager.set_forced_chatgpt_workspace_id(config.forced_chatgpt_workspace_id.clone());
-        auth_manager.set_external_auth_refresher(Arc::new(ExternalAuthRefreshBridge {
-            outgoing: outgoing.clone(),
-        }));
         let analytics_events_client = AnalyticsEventsClient::new(
             Arc::clone(&auth_manager),
             config.chatgpt_base_url.trim_end_matches('/').to_string(),
@@ -282,7 +282,7 @@ impl MessageProcessor {
     }
 
     pub(crate) fn clear_runtime_references(&self) {
-        self.auth_manager.clear_external_auth_refresher();
+        self.auth_manager.clear_external_chatgpt_auth_refresher();
     }
 
     pub(crate) async fn process_request(
 
@@ -8,10 +8,12 @@ use codex_protocol::account::PlanType as AccountPlanType;
 
 use base64::Engine;
 use codex_protocol::config_types::ForcedLoginMethod;
+use codex_protocol::config_types::ModelProviderAuthInfo;
 use pretty_assertions::assert_eq;
 use serde::Serialize;
 use serde_json::json;
 use std::sync::Arc;
+use tempfile::TempDir;
 use tempfile::tempdir;
 
 #[tokio::test]
@@ -265,6 +267,180 @@ fn external_auth_tokens_without_chatgpt_metadata_cannot_seed_chatgpt_auth() {
     );
 }
 
+#[tokio::test]
+async fn external_bearer_only_auth_manager_uses_cached_provider_token() {
+    let script = ProviderAuthScript::new(&["provider-token", "next-token"]).unwrap();
+    let manager = AuthManager::external_bearer_only(script.auth_config());
+
+    let first = manager
+        .auth()
+        .await
+        .and_then(|auth| auth.api_key().map(str::to_string));
+    let second = manager
+        .auth()
+        .await
+        .and_then(|auth| auth.api_key().map(str::to_string));
+
+    assert_eq!(first.as_deref(), Some("provider-token"));
+    assert_eq!(second.as_deref(), Some("provider-token"));
+}
+
+#[tokio::test]
+async fn external_bearer_only_auth_manager_returns_none_when_command_fails() {
+    let script = ProviderAuthScript::new_failing().unwrap();
+    let manager = AuthManager::external_bearer_only(script.auth_config());
+
+    assert_eq!(manager.auth().await, None);
+}
+
+#[tokio::test]
+async fn unauthorized_recovery_uses_external_refresh_for_bearer_manager() {
+    let script = ProviderAuthScript::new(&["provider-token", "refreshed-provider-token"]).unwrap();
+    let manager = AuthManager::external_bearer_only(script.auth_config());
+    let initial_token = manager
+        .auth()
+        .await
+        .and_then(|auth| auth.api_key().map(str::to_string));
+    let mut recovery = manager.unauthorized_recovery();
+
+    assert!(recovery.has_next());
+    assert_eq!(recovery.mode_name(), "external");
+    assert_eq!(recovery.step_name(), "external_refresh");
+
+    let result = recovery
+        .next()
+        .await
+        .expect("external refresh should succeed");
+
+    assert_eq!(result.auth_state_changed(), Some(true));
+    let refreshed_token = manager
+        .auth()
+        .await
+        .and_then(|auth| auth.api_key().map(str::to_string));
+    assert_eq!(initial_token.as_deref(), Some("provider-token"));
+    assert_eq!(refreshed_token.as_deref(), Some("refreshed-provider-token"));
+}
+
+struct ProviderAuthScript {
+    tempdir: TempDir,
+    command: String,
+    args: Vec<String>,
+}
+
+impl ProviderAuthScript {
+    fn new(tokens: &[&str]) -> std::io::Result<Self> {
+        let tempdir = tempfile::tempdir()?;
+        let token_file = tempdir.path().join("tokens.txt");
+        let mut token_file_contents = String::new();
+        for token in tokens {
+            token_file_contents.push_str(token);
+            token_file_contents.push('\n');
+        }
+        std::fs::write(&token_file, token_file_contents)?;
+
+        #[cfg(unix)]
+        let (command, args) = {
+            let script_path = tempdir.path().join("print-token.sh");
+            std::fs::write(
+                &script_path,
+                r#"#!/bin/sh
+first_line=$(sed -n '1p' tokens.txt)
+printf '%s\n' "$first_line"
+tail -n +2 tokens.txt > tokens.next
+mv tokens.next tokens.txt
+"#,
+            )?;
+            let mut permissions = std::fs::metadata(&script_path)?.permissions();
+            {
+                use std::os::unix::fs::PermissionsExt;
+                permissions.set_mode(0o755);
+            }
+            std::fs::set_permissions(&script_path, permissions)?;
+            ("./print-token.sh".to_string(), Vec::new())
+        };
+
+        #[cfg(windows)]
+        let (command, args) = {
+            let script_path = tempdir.path().join("print-token.ps1");
+            std::fs::write(
+                &script_path,
+                r#"$lines = Get-Content -Path tokens.txt
+if ($lines.Count -eq 0) { exit 1 }
+Write-Output $lines[0]
+$lines | Select-Object -Skip 1 | Set-Content -Path tokens.txt
+"#,
+            )?;
+            (
+                "powershell".to_string(),
+                vec![
+                    "-NoProfile".to_string(),
+                    "-ExecutionPolicy".to_string(),
+                    "Bypass".to_string(),
+                    "-File".to_string(),
+                    ".\\print-token.ps1".to_string(),
+                ],
+            )
+        };
+
+        Ok(Self {
+            tempdir,
+            command,
+            args,
+        })
+    }
+
+    fn new_failing() -> std::io::Result<Self> {
+        let tempdir = tempfile::tempdir()?;
+
+        #[cfg(unix)]
+        let (command, args) = {
+            let script_path = tempdir.path().join("fail.sh");
+            std::fs::write(
+                &script_path,
+                r#"#!/bin/sh
+exit 1
+"#,
+            )?;
+            let mut permissions = std::fs::metadata(&script_path)?.permissions();
+            {
+                use std::os::unix::fs::PermissionsExt;
+                permissions.set_mode(0o755);
+            }
+            std::fs::set_permissions(&script_path, permissions)?;
+            ("./fail.sh".to_string(), Vec::new())
+        };
+
+        #[cfg(windows)]
+        let (command, args) = (
+            "powershell".to_string(),
+            vec![
+                "-NoProfile".to_string(),
+                "-ExecutionPolicy".to_string(),
+                "Bypass".to_string(),
+                "-Command".to_string(),
+                "exit 1".to_string(),
+            ],
+        );
+
+        Ok(Self {
+            tempdir,
+            command,
+            args,
+        })
+    }
+
+    fn auth_config(&self) -> ModelProviderAuthInfo {
+        serde_json::from_value(json!({
+            "command": self.command,
+            "args": self.args,
+            "timeout_ms": 1000,
+            "refresh_interval_ms": 60000,
+            "cwd": self.tempdir.path(),
+        }))
+        .expect("provider auth config should deserialize")
+    }
+}
+
 struct AuthFileParams {
     openai_api_key: Option<String>,
     chatgpt_plan_type: Option<String>,
Original file line number	Diff line number	Diff line change
`@@ -1015,7 +1015,7 @@ impl CodexMessageProcessor {`
`1015`	`1015`	`&mut self,`
`1016`	`1016`	`params: &LoginApiKeyParams,`
`1017`	`1017`	`) -> std::result::Result<(), JSONRPCErrorError> {`
`1018`		`- if self.auth_manager.is_external_auth_active() {`
	`1018`	`+ if self.auth_manager.is_external_chatgpt_auth_active() {`
`1019`	`1019`	`return Err(self.external_auth_active_error());`
`1020`	`1020`	`}`
`1021`	`1021`
`@@ -1094,7 +1094,7 @@ impl CodexMessageProcessor {`
`1094`	`1094`	`) -> std::result::Result<LoginServerOptions, JSONRPCErrorError> {`
`1095`	`1095`	`let config = self.config.as_ref();`
`1096`	`1096`
`1097`		`- if self.auth_manager.is_external_auth_active() {`
	`1097`	`+ if self.auth_manager.is_external_chatgpt_auth_active() {`
`1098`	`1098`	`return Err(self.external_auth_active_error());`
`1099`	`1099`	`}`
`1100`	`1100`
`@@ -1531,7 +1531,7 @@ impl CodexMessageProcessor {`
`1531`	`1531`	`}`
`1532`	`1532`
`1533`	`1533`	`async fn refresh_token_if_requested(&self, do_refresh: bool) -> RefreshTokenRequestOutcome {`
`1534`		`- if self.auth_manager.is_external_auth_active() {`
	`1534`	`+ if self.auth_manager.is_external_chatgpt_auth_active() {`
`1535`	`1535`	`return RefreshTokenRequestOutcome::NotAttemptedOrSucceeded;`
`1536`	`1536`	`}`
`1537`	`1537`	`if do_refresh && let Err(err) = self.auth_manager.refresh_token().await {`