Remove 'enabled' field from OIDC config - check token_exchange_url at runtime

- Removed 'enabled' boolean field from OIDCConfig struct
- Changed schema to require 'token_exchange_url' instead of 'enabled'
- Updated HasOIDCConfig to check for presence of token_exchange_url
- Updated all engine GetOIDCConfig methods to check token_exchange_url
- Updated tests to remove enabled field checks
- OIDC is now implicitly enabled when token_exchange_url is present

Co-authored-by: pelikhan <[email protected]>

Author: Copilot

pkg/parser/schemas/main_workflow_schema.json

@@ -2977,19 +2977,15 @@
             },
             "oidc": {
               "type": "object",
-              "description": "OpenID Connect authentication configuration for agentic engines. When enabled, the workflow will use OIDC to obtain tokens with PAT fallback support.",
+              "description": "OpenID Connect authentication configuration for agentic engines. When configured, the workflow will use OIDC to obtain tokens with PAT fallback support.",
               "properties": {
-                "enabled": {
-                  "type": "boolean",
-                  "description": "Enable OIDC authentication for this engine"
-                },
                 "audience": {
                   "type": "string",
                   "description": "OIDC audience identifier (e.g., 'claude-code-github-action'). Defaults to engine-specific audience if not specified."
                 },
                 "token_exchange_url": {
                   "type": "string",
-                  "description": "URL endpoint to exchange OIDC token for an app token (required when OIDC is enabled)"
+                  "description": "URL endpoint to exchange OIDC token for an app token (required for OIDC authentication)"
                 },
                 "token_revoke_url": {
                   "type": "string",
@@ -3004,7 +3000,7 @@
                   "description": "Fallback environment variable to use if OIDC token acquisition fails. Typically references a secret (e.g., ${{ secrets.ANTHROPIC_API_KEY }})"
                 }
               },
-              "required": ["enabled"],
+              "required": ["token_exchange_url"],
               "additionalProperties": false
             }
           },

pkg/workflow/claude_engine.go

@@ -85,7 +85,7 @@ func (e *ClaudeEngine) GetVersionCommand() string {
 
 // GetOIDCConfig returns the OIDC configuration for Claude engine
 func (e *ClaudeEngine) GetOIDCConfig(workflowData *WorkflowData) *OIDCConfig {
-	if workflowData.EngineConfig != nil && workflowData.EngineConfig.OIDC != nil && workflowData.EngineConfig.OIDC.Enabled {
+	if workflowData.EngineConfig != nil && workflowData.EngineConfig.OIDC != nil && workflowData.EngineConfig.OIDC.TokenExchangeURL != "" {
 		return workflowData.EngineConfig.OIDC
 	}
 	return nil

pkg/workflow/codex_engine.go

@@ -84,7 +84,7 @@ func (e *CodexEngine) GetVersionCommand() string {
 
 // GetOIDCConfig returns the OIDC configuration for Codex engine
 func (e *CodexEngine) GetOIDCConfig(workflowData *WorkflowData) *OIDCConfig {
-	if workflowData.EngineConfig != nil && workflowData.EngineConfig.OIDC != nil && workflowData.EngineConfig.OIDC.Enabled {
+	if workflowData.EngineConfig != nil && workflowData.EngineConfig.OIDC != nil && workflowData.EngineConfig.OIDC.TokenExchangeURL != "" {
 		return workflowData.EngineConfig.OIDC
 	}
 	return nil

pkg/workflow/copilot_engine.go

@@ -99,7 +99,7 @@ func (e *CopilotEngine) GetVersionCommand() string {
 
 // GetOIDCConfig returns the OIDC configuration for Copilot engine
 func (e *CopilotEngine) GetOIDCConfig(workflowData *WorkflowData) *OIDCConfig {
-	if workflowData.EngineConfig != nil && workflowData.EngineConfig.OIDC != nil && workflowData.EngineConfig.OIDC.Enabled {
+	if workflowData.EngineConfig != nil && workflowData.EngineConfig.OIDC != nil && workflowData.EngineConfig.OIDC.TokenExchangeURL != "" {
 		return workflowData.EngineConfig.OIDC
 	}
 	return nil

pkg/workflow/openid.go

@@ -4,9 +4,6 @@ import "fmt"
 
 // OIDCConfig represents OpenID Connect authentication configuration for agentic engines
 type OIDCConfig struct {
-	// Enabled indicates whether OIDC authentication is enabled
-	Enabled bool `yaml:"enabled,omitempty"`
-
 	// Audience is the OIDC audience identifier (e.g., "claude-code-github-action")
 	Audience string `yaml:"audience,omitempty"`
 
@@ -37,13 +34,6 @@ func ParseOIDCConfig(engineObj map[string]any) *OIDCConfig {
 
 	oidcConfig := &OIDCConfig{}
 
-	// Extract enabled field (defaults to false)
-	if enabled, hasEnabled := oidcObj["enabled"]; hasEnabled {
-		if enabledBool, ok := enabled.(bool); ok {
-			oidcConfig.Enabled = enabledBool
-		}
-	}
-
 	// Extract audience field
 	if audience, hasAudience := oidcObj["audience"]; hasAudience {
 		if audienceStr, ok := audience.(string); ok {
@@ -83,8 +73,9 @@ func ParseOIDCConfig(engineObj map[string]any) *OIDCConfig {
 }
 
 // HasOIDCConfig checks if the engine has OIDC configuration
+// OIDC is considered enabled if token_exchange_url is present
 func HasOIDCConfig(config *EngineConfig) bool {
-	return config != nil && config.OIDC != nil && config.OIDC.Enabled
+	return config != nil && config.OIDC != nil && config.OIDC.TokenExchangeURL != ""
 }
 
 // GetOIDCAudience returns the OIDC audience identifier, with a default based on engine

pkg/workflow/openid_test.go

@@ -15,7 +15,6 @@ func TestOIDCConfigExtraction(t *testing.T) {
 		"engine": map[string]any{
 			"id": "claude",
 			"oidc": map[string]any{
-				"enabled":            true,
 				"audience":           "test-audience",
 				"token_exchange_url": "https://api.example.com/token-exchange",
 				"token_revoke_url":   "https://api.example.com/token-revoke",
@@ -39,10 +38,6 @@ func TestOIDCConfigExtraction(t *testing.T) {
 		t.Fatal("Expected OIDC config to be non-nil")
 	}
 
-	if !config.OIDC.Enabled {
-		t.Error("Expected OIDC to be enabled")
-	}
-
 	if config.OIDC.Audience != "test-audience" {
 		t.Errorf("Expected audience 'test-audience', got '%s'", config.OIDC.Audience)
 	}
@@ -67,7 +62,6 @@ func TestOIDCConfigExtraction(t *testing.T) {
 func TestOIDCConfigDefaults(t *testing.T) {
 	// Test with minimal OIDC configuration
 	oidcConfig := &OIDCConfig{
-		Enabled:          true,
 		TokenExchangeURL: "https://api.example.com/exchange",
 	}
 
@@ -106,7 +100,6 @@ func TestClaudeEngineWithOIDC(t *testing.T) {
 		EngineConfig: &EngineConfig{
 			ID: "claude",
 			OIDC: &OIDCConfig{
-				Enabled:          true,
 				Audience:         "claude-code-github-action",
 				TokenExchangeURL: "https://api.anthropic.com/api/github/github-app-token-exchange",
 				TokenRevokeURL:   "https://api.anthropic.com/api/github/github-app-token-revoke",
@@ -198,17 +191,17 @@ func TestHasOIDCConfig(t *testing.T) {
 		t.Error("Expected HasOIDCConfig to return false when OIDC is nil")
 	}
 
-	// Test with OIDC disabled
+	// Test with OIDC but no token_exchange_url
 	config.OIDC = &OIDCConfig{
-		Enabled: false,
+		Audience: "test-audience",
 	}
 	if HasOIDCConfig(config) {
-		t.Error("Expected HasOIDCConfig to return false when OIDC is disabled")
+		t.Error("Expected HasOIDCConfig to return false when token_exchange_url is not set")
 	}
 
-	// Test with OIDC enabled
-	config.OIDC.Enabled = true
+	// Test with OIDC and token_exchange_url
+	config.OIDC.TokenExchangeURL = "https://api.example.com/exchange"
 	if !HasOIDCConfig(config) {
-		t.Error("Expected HasOIDCConfig to return true when OIDC is enabled")
+		t.Error("Expected HasOIDCConfig to return true when token_exchange_url is set")
 	}
 }