feat(opencode): add xAI Grok OAuth (SuperGrok) + device-code login#28557
Merged
Conversation
Adds two OAuth login methods to the xAI provider so SuperGrok subscribers don't need a paid API key, plus keeps API-key entry as the fallback. - Browser loopback: PKCE + state + nonce → http://127.0.0.1:56121/callback, HTML-escaped error page, single-flight refresh against xAI's rotating refresh_token, header non-mutation, JWT exp check on top of the stored expires deadline, best-effort persistence. - RFC 8628 device-code: for VPS / SSH / Docker / WSL / CI hosts where the loopback redirect isn't reachable from the user's browser. Honors authorization_pending / slow_down per spec with a 3s safety margin and a hard expires_in deadline. Defends the polling loop against malformed interval / expires_in (NaN, "NaN", negative, 0) by falling back to the default — without this a NaN interval would busy-loop the token endpoint via setTimeout(_, NaN). - Permanent log-only error listener on the OAuth callback server after listen() succeeds so accept-time failures don't crash the process. Clears oauthServer on listen() failure so a port collision doesn't poison the next attempt. Mirrors the patterns the existing Codex plugin uses and matches its defensive posture on every dimension I could identify. Verified: - cd packages/opencode && bun test test/plugin/xai.test.ts → 51 pass, 144 expectations - cd packages/opencode && bun typecheck → clean - Manual on a SuperGrok account: /connect xai → both OAuth methods complete; tokens land in auth.json with rotation; expired-deadline auth auto-refreshes within the 2-min skew window; binding :56121 externally produces a clean error and a subsequent attempt succeeds.
Collaborator
|
/review |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
MyNameIsGMLi
pushed a commit
to MyNameIsGMLi/opencode
that referenced
this pull request
May 22, 2026
…nomalyco#28557) Co-authored-by: Jaaneek <Jaaneek@users.noreply.github.com> Co-authored-by: Aiden Cline <63023139+rekram1-node@users.noreply.github.com> Co-authored-by: Aiden Cline <aidenpcline@gmail.com>
sdeonvacation
added a commit
to sdeonvacation/opencode-x-old
that referenced
this pull request
May 22, 2026
…code login (anomalyco#28557) (upstream b32debb)
rustybret
pushed a commit
to rustybret/opencode
that referenced
this pull request
May 22, 2026
…nomalyco#28557) Co-authored-by: Jaaneek <Jaaneek@users.noreply.github.com> Co-authored-by: Aiden Cline <63023139+rekram1-node@users.noreply.github.com> Co-authored-by: Aiden Cline <aidenpcline@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue for this PR
Closes #28411
Type of change
What does this PR do?
Please provide a description of the issue, the changes you made to fix it, and why they work. It is expected that you understand why your changes work and if you do not understand why at least say as much so a maintainer knows how much to value the PR.
Adds two oauth login methods to the xAI provider so SuperGrok subscribers don't need a paid API key, plus keeps API-key entry as the fallback.
How did you verify your code works?
I did run tests and also did test manually
Screenshots / recordings
device code:
Checklist
If you do not follow this template your PR will be automatically rejected.