feat(provider): add xAI / SuperGrok OAuth (loopback + device-code)#3438
Open
christophacham wants to merge 1 commit into
Open
feat(provider): add xAI / SuperGrok OAuth (loopback + device-code)#3438christophacham wants to merge 1 commit into
christophacham wants to merge 1 commit into
Conversation
Make the built-in `xai` provider OAuth-capable by adding `oauth_code` and `oauth_device` auth methods alongside `api_key` in the provider catalog, reusing forgecode's existing generic OAuth framework (no new transport code). - oauth_code: loopback authorization-code + PKCE (S256) on 127.0.0.1:56121/callback, plan=generic, referrer=forgecode. Routes to OAuthCodeStrategy<StandardHttpProvider> via the factory fall-through. - oauth_device: RFC 8628 device-code (headless/VPS). auth_url is the device-authorization endpoint and token_refresh_url is omitted, so the factory routes to the plain OAuthDeviceStrategy (not the Copilot hybrid). use_pkce=false to match the oauth2 exchange_device_code flow. - api_key retained as fallback (picker order: oauth_code, oauth_device, api_key). The bearer is injected by the existing OpenAI-protocol header builder and the loopback server already accepts a pinned 127.0.0.1 redirect, so no other code changes are required. Tests: factory dispatch (XAI OAuthCode->Standard, OAuthDevice->Device) and a provider.json round-trip asserting client_id/urls/scopes/redirect/extra params.
|
|
github-actions
Bot
added
type: feature
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Makes the built-in
xaiprovider OAuth-capable, so you can sign in with an xAI / SuperGrok account instead of pasting an API key.Two OAuth methods are added to the
xaientry in the provider catalog, reusing forgecode's existing generic OAuth framework — no new transport code:oauth_code— loopback authorization-code + PKCE (S256) on127.0.0.1:56121/callback. Routes through the genericOAuthCodeStrategy<StandardHttpProvider>.oauth_device— RFC 8628 device-code flow for headless / SSH / CI. Routes to the plainOAuthDeviceStrategy.api_keykept as a fallback (picker order:oauth_code→oauth_device→api_key).The access token is injected as a plain
Bearerby the existing OpenAI-protocol header builder, and the loopback callback server already accepts the pinned127.0.0.1redirect — so the change is data-driven (catalog JSON) plus routing/round-trip tests, with zero per-provider Rust logic.Test it
Then pick OAuth Authorization Code (desktop) or OAuth Device Flow (headless).
Tests added
oauth_code→ Standard,oauth_device→ Device.provider.jsonround-trip asserting client_id / URLs / scopes / redirect / extra params.