Rename OIDC fields for Claude: separate OAuth and API token env vars

- Renamed OIDCConfig.EnvVarName -> OauthTokenEnvVar (for OIDC OAuth token)
- Renamed OIDCConfig.FallbackEnvVar -> ApiTokenEnvVar (for API key fallback)
- Added GetOAuthTokenEnvVarName() to CodingAgentEngine interface
- Claude now uses CLAUDE_CODE_OAUTH_TOKEN for OIDC tokens
- Claude uses ANTHROPIC_API_KEY as API key fallback
- Updated setup_oidc_token.cjs to distinguish OAuth vs API tokens
- Updated schema and tests to reflect new field names
- OAuth token from OIDC is exported to CLAUDE_CODE_OAUTH_TOKEN
- API key fallback remains as ANTHROPIC_API_KEY

Co-authored-by: pelikhan <[email protected]>

Author: Copilot

pkg/parser/schemas/main_workflow_schema.json

@@ -2991,13 +2991,13 @@
                   "type": "string",
                   "description": "URL endpoint to revoke the app token after workflow execution (optional)"
                 },
-                "env_var_name": {
+                "oauth_token_env_var": {
                   "type": "string",
-                  "description": "Environment variable name to store the token. Defaults to engine-specific variable (e.g., ANTHROPIC_API_KEY for Claude)"
+                  "description": "Environment variable name for OAuth token obtained via OIDC. For Claude: CLAUDE_CODE_OAUTH_TOKEN. Defaults to engine-specific variable."
                 },
-                "fallback_env_var": {
+                "api_token_env_var": {
                   "type": "string",
-                  "description": "Fallback environment variable to use if OIDC token acquisition fails. Typically references a secret (e.g., ${{ secrets.ANTHROPIC_API_KEY }})"
+                  "description": "Environment variable name for API key used as fallback. For Claude: ANTHROPIC_API_KEY. Defaults to engine-specific variable."
                 }
               },
               "required": ["token_exchange_url"],

pkg/workflow/agentic_engine.go

@@ -75,9 +75,16 @@ type CodingAgentEngine interface {
 	// Returns nil if the engine does not support OIDC or OIDC is not configured
 	GetOIDCConfig(workflowData *WorkflowData) *OIDCConfig
 
-	// GetTokenEnvVarName returns the environment variable name for authentication tokens
-	// Used by OIDC token setup to determine where to store the obtained token
+	// GetTokenEnvVarName returns the environment variable name for API key authentication tokens
+	// For Claude: ANTHROPIC_API_KEY (used as fallback when OIDC fails)
+	// For Copilot: GITHUB_TOKEN
+	// For Codex: OPENAI_API_KEY
 	GetTokenEnvVarName() string
+
+	// GetOAuthTokenEnvVarName returns the environment variable name for OAuth tokens obtained via OIDC
+	// For Claude: CLAUDE_CODE_OAUTH_TOKEN
+	// For other engines: typically same as GetTokenEnvVarName()
+	GetOAuthTokenEnvVarName() string
 }
 
 // ErrorPattern represents a regex pattern for extracting error information from logs
@@ -168,12 +175,18 @@ func (e *BaseEngine) GetOIDCConfig(workflowData *WorkflowData) *OIDCConfig {
 	return nil
 }
 
-// GetTokenEnvVarName returns the default token environment variable name
+// GetTokenEnvVarName returns the default API token environment variable name
 // Engines should override this to return engine-specific values
 func (e *BaseEngine) GetTokenEnvVarName() string {
 	return "GITHUB_TOKEN"
 }
 
+// GetOAuthTokenEnvVarName returns the default OAuth token environment variable name
+// By default, uses the same as API token. Engines can override for different OAuth token variables.
+func (e *BaseEngine) GetOAuthTokenEnvVarName() string {
+	return e.GetTokenEnvVarName()
+}
+
 // GetLogFileForParsing returns the default log file path for parsing
 // Engines can override this to use engine-specific log files
 func (e *BaseEngine) GetLogFileForParsing() string {

pkg/workflow/claude_engine.go

@@ -99,11 +99,18 @@ func (e *ClaudeEngine) GetOIDCConfig(workflowData *WorkflowData) *OIDCConfig {
 	}
 }
 
-// GetTokenEnvVarName returns the environment variable name for Claude's authentication token
+// GetTokenEnvVarName returns the environment variable name for Claude's API key authentication
+// This is used as the fallback when OIDC authentication is not available
 func (e *ClaudeEngine) GetTokenEnvVarName() string {
 	return "ANTHROPIC_API_KEY"
 }
 
+// GetOAuthTokenEnvVarName returns the environment variable name for Claude's OAuth token
+// This is used for OIDC-obtained tokens
+func (e *ClaudeEngine) GetOAuthTokenEnvVarName() string {
+	return "CLAUDE_CODE_OAUTH_TOKEN"
+}
+
 // GetExecutionSteps returns the GitHub Actions steps for executing Claude
 func (e *ClaudeEngine) GetExecutionSteps(workflowData *WorkflowData, logFile string) []GitHubActionStep {
 	// Handle custom steps if they exist in engine config
@@ -218,10 +225,10 @@ func (e *ClaudeEngine) GetExecutionSteps(workflowData *WorkflowData, logFile str
 	// Add environment section - always include environment section for GH_AW_PROMPT
 	stepLines = append(stepLines, "        env:")
 
-	// Add Anthropic API key - if OIDC is configured, use the token from the setup step
-	// Otherwise, use the secret directly
+	// Add authentication token - if OIDC is configured, use OAuth token from setup step
+	// Otherwise, use the API key secret directly
 	if oidcConfig != nil {
-		stepLines = append(stepLines, "          ANTHROPIC_API_KEY: ${{ steps.setup_oidc_token.outputs.token }}")
+		stepLines = append(stepLines, "          CLAUDE_CODE_OAUTH_TOKEN: ${{ steps.setup_oidc_token.outputs.token }}")
 	} else {
 		stepLines = append(stepLines, "          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}")
 	}

pkg/workflow/js/setup_oidc_token.cjs

@@ -118,43 +118,43 @@ async function main() {
     // Get configuration from environment variables
     const audience = process.env.GH_AW_OIDC_AUDIENCE;
     const exchangeUrl = process.env.GH_AW_OIDC_EXCHANGE_URL;
-    const envVarName = process.env.GH_AW_OIDC_ENV_VAR_NAME;
-    const fallbackEnvVar = process.env.GH_AW_OIDC_FALLBACK_ENV_VAR;
+    const oauthTokenEnvVar = process.env.GH_AW_OIDC_OAUTH_TOKEN_ENV_VAR;
+    const apiTokenEnvVar = process.env.GH_AW_OIDC_API_TOKEN_ENV_VAR;
 
-    if (!audience || !exchangeUrl || !envVarName) {
-      core.setFailed("Missing required OIDC configuration (audience, exchange_url, or env_var_name)");
+    if (!audience || !exchangeUrl || !oauthTokenEnvVar || !apiTokenEnvVar) {
+      core.setFailed("Missing required OIDC configuration (audience, exchange_url, oauth_token_env_var, or api_token_env_var)");
       return;
     }
 
-    // Check if token was provided as fallback
-    const fallbackToken = fallbackEnvVar ? process.env[fallbackEnvVar] : null;
+    // Check if API token was provided as fallback
+    const apiToken = process.env[apiTokenEnvVar];
 
-    if (fallbackToken) {
-      core.info(`Using provided token from ${fallbackEnvVar} for authentication`);
-      core.setOutput("token", fallbackToken);
-      core.setOutput("token_source", "fallback");
-      core.exportVariable(envVarName, fallbackToken);
+    if (apiToken) {
+      core.info(`Using provided API token from ${apiTokenEnvVar} for authentication`);
+      core.setOutput("token", apiToken);
+      core.setOutput("token_source", "api_token");
+      core.exportVariable(apiTokenEnvVar, apiToken);
       return;
     }
 
     // Get OIDC token with retry
     const oidcToken = await retryWithBackoff(() => getOidcToken(audience));
 
-    // Exchange OIDC token for app token with retry
-    const appToken = await retryWithBackoff(() => exchangeForAppToken(oidcToken, exchangeUrl));
+    // Exchange OIDC token for OAuth app token with retry
+    const oauthToken = await retryWithBackoff(() => exchangeForAppToken(oidcToken, exchangeUrl));
 
-    // Set the token in the environment for subsequent steps
-    core.info(`Setting token in environment variable: ${envVarName}`);
-    core.setOutput("token", appToken);
-    core.setOutput("token_source", "oidc");
-    core.exportVariable(envVarName, appToken);
+    // Set the OAuth token in the environment for subsequent steps
+    core.info(`Setting OAuth token in environment variable: ${oauthTokenEnvVar}`);
+    core.setOutput("token", oauthToken);
+    core.setOutput("token_source", "oauth");
+    core.exportVariable(oauthTokenEnvVar, oauthToken);
 
     // Also output the token for post-step revocation
     core.setOutput("oidc_token_obtained", "true");
   } catch (error) {
     // Only set failed if we get here - workflow validation errors will return before this
     core.setFailed(
-      `Failed to setup token: ${error instanceof Error ? error.message : String(error)}\n\nIf you instead wish to use a custom token, provide it via the fallback environment variable.`
+      `Failed to setup token: ${error instanceof Error ? error.message : String(error)}\n\nIf you instead wish to use an API token, provide it via the ${apiTokenEnvVar} secret.`
     );
   }
 }

pkg/workflow/openid.go

@@ -13,11 +13,13 @@ type OIDCConfig struct {
 	// TokenRevokeURL is the URL to revoke the app token (optional)
 	TokenRevokeURL string `yaml:"token_revoke_url,omitempty"`
 
-	// EnvVarName is the environment variable name to store the token (defaults to token-specific env var)
-	EnvVarName string `yaml:"env_var_name,omitempty"`
+	// OauthTokenEnvVar is the environment variable name for the OAuth token obtained via OIDC
+	// For Claude: CLAUDE_CODE_OAUTH_TOKEN
+	OauthTokenEnvVar string `yaml:"oauth_token_env_var,omitempty"`
 
-	// FallbackEnvVar is the fallback environment variable to use if OIDC fails
-	FallbackEnvVar string `yaml:"fallback_env_var,omitempty"`
+	// ApiTokenEnvVar is the environment variable name for the API token used as fallback
+	// For Claude: ANTHROPIC_API_KEY
+	ApiTokenEnvVar string `yaml:"api_token_env_var,omitempty"`
 }
 
 // ParseOIDCConfig parses OIDC configuration from engine object
@@ -55,17 +57,17 @@ func ParseOIDCConfig(engineObj map[string]any) *OIDCConfig {
 		}
 	}
 
-	// Extract env_var_name field (optional)
-	if envVarName, hasEnvVarName := oidcObj["env_var_name"]; hasEnvVarName {
-		if envVarNameStr, ok := envVarName.(string); ok {
-			oidcConfig.EnvVarName = envVarNameStr
+	// Extract oauth_token_env_var field (optional)
+	if oauthTokenEnvVar, hasOauthTokenEnvVar := oidcObj["oauth_token_env_var"]; hasOauthTokenEnvVar {
+		if oauthTokenEnvVarStr, ok := oauthTokenEnvVar.(string); ok {
+			oidcConfig.OauthTokenEnvVar = oauthTokenEnvVarStr
 		}
 	}
 
-	// Extract fallback_env_var field (optional)
-	if fallbackEnvVar, hasFallbackEnvVar := oidcObj["fallback_env_var"]; hasFallbackEnvVar {
-		if fallbackEnvVarStr, ok := fallbackEnvVar.(string); ok {
-			oidcConfig.FallbackEnvVar = fallbackEnvVarStr
+	// Extract api_token_env_var field (optional)
+	if apiTokenEnvVar, hasApiTokenEnvVar := oidcObj["api_token_env_var"]; hasApiTokenEnvVar {
+		if apiTokenEnvVarStr, ok := apiTokenEnvVar.(string); ok {
+			oidcConfig.ApiTokenEnvVar = apiTokenEnvVarStr
 		}
 	}
 
@@ -99,8 +101,14 @@ func GenerateOIDCSetupStep(oidcConfig *OIDCConfig, engine CodingAgentEngine) Git
 
 	stepLines = append(stepLines, "      - name: Setup OIDC token")
 	stepLines = append(stepLines, "        id: setup_oidc_token")
-	// Only run if the fallback token secret exists (check for non-empty secret)
-	stepLines = append(stepLines, fmt.Sprintf("        if: secrets.%s != ''", engine.GetTokenEnvVarName()))
+
+	// Determine the API token env var (fallback) - check if secret exists before running
+	apiTokenEnvVar := oidcConfig.ApiTokenEnvVar
+	if apiTokenEnvVar == "" {
+		apiTokenEnvVar = engine.GetTokenEnvVarName()
+	}
+	stepLines = append(stepLines, fmt.Sprintf("        if: secrets.%s != ''", apiTokenEnvVar))
+
 	stepLines = append(stepLines, "        uses: actions/github-script@v8")
 	stepLines = append(stepLines, "        env:")
 
@@ -114,14 +122,17 @@ func GenerateOIDCSetupStep(oidcConfig *OIDCConfig, engine CodingAgentEngine) Git
 		stepLines = append(stepLines, fmt.Sprintf("          GH_AW_OIDC_EXCHANGE_URL: %s", oidcConfig.TokenExchangeURL))
 	}
 
-	// Use engine's token environment variable name
-	envVarName := engine.GetTokenEnvVarName()
-	stepLines = append(stepLines, fmt.Sprintf("          GH_AW_OIDC_ENV_VAR_NAME: %s", envVarName))
+	// OAuth token environment variable (where OIDC token will be stored)
+	oauthTokenEnvVar := oidcConfig.OauthTokenEnvVar
+	if oauthTokenEnvVar == "" {
+		oauthTokenEnvVar = engine.GetOAuthTokenEnvVarName()
+	}
+	stepLines = append(stepLines, fmt.Sprintf("          GH_AW_OIDC_OAUTH_TOKEN_ENV_VAR: %s", oauthTokenEnvVar))
 
-	// Use the same env var as fallback
-	stepLines = append(stepLines, fmt.Sprintf("          GH_AW_OIDC_FALLBACK_ENV_VAR: %s", envVarName))
+	// API token environment variable (fallback)
+	stepLines = append(stepLines, fmt.Sprintf("          GH_AW_OIDC_API_TOKEN_ENV_VAR: %s", apiTokenEnvVar))
 	// Add the actual fallback secret if it exists
-	stepLines = append(stepLines, fmt.Sprintf("          %s: ${{ secrets.%s }}", envVarName, envVarName))
+	stepLines = append(stepLines, fmt.Sprintf("          %s: ${{ secrets.%s }}", apiTokenEnvVar, apiTokenEnvVar))
 
 	stepLines = append(stepLines, "        with:")
 	stepLines = append(stepLines, "          script: |")

pkg/workflow/openid_test.go

@@ -15,11 +15,11 @@ func TestOIDCConfigExtraction(t *testing.T) {
 		"engine": map[string]any{
 			"id": "claude",
 			"oidc": map[string]any{
-				"audience":           "test-audience",
-				"token_exchange_url": "https://api.example.com/token-exchange",
-				"token_revoke_url":   "https://api.example.com/token-revoke",
-				"env_var_name":       "TEST_TOKEN",
-				"fallback_env_var":   "TEST_FALLBACK",
+				"audience":            "test-audience",
+				"token_exchange_url":  "https://api.example.com/token-exchange",
+				"token_revoke_url":    "https://api.example.com/token-revoke",
+				"oauth_token_env_var": "TEST_OAUTH_TOKEN",
+				"api_token_env_var":   "TEST_API_TOKEN",
 			},
 		},
 	}
@@ -50,12 +50,12 @@ func TestOIDCConfigExtraction(t *testing.T) {
 		t.Errorf("Expected token revoke URL 'https://api.example.com/token-revoke', got '%s'", config.OIDC.TokenRevokeURL)
 	}
 
-	if config.OIDC.EnvVarName != "TEST_TOKEN" {
-		t.Errorf("Expected env var name 'TEST_TOKEN', got '%s'", config.OIDC.EnvVarName)
+	if config.OIDC.OauthTokenEnvVar != "TEST_OAUTH_TOKEN" {
+		t.Errorf("Expected OAuth token env var 'TEST_OAUTH_TOKEN', got '%s'", config.OIDC.OauthTokenEnvVar)
 	}
 
-	if config.OIDC.FallbackEnvVar != "TEST_FALLBACK" {
-		t.Errorf("Expected fallback env var 'TEST_FALLBACK', got '%s'", config.OIDC.FallbackEnvVar)
+	if config.OIDC.ApiTokenEnvVar != "TEST_API_TOKEN" {
+		t.Errorf("Expected API token env var 'TEST_API_TOKEN', got '%s'", config.OIDC.ApiTokenEnvVar)
 	}
 }
 
@@ -131,9 +131,9 @@ func TestClaudeEngineWithOIDC(t *testing.T) {
 		t.Error("Expected OIDC revoke step to be present")
 	}
 
-	// Verify token is used from OIDC setup step
-	if !strings.Contains(stepsStr, "ANTHROPIC_API_KEY: ${{ steps.setup_oidc_token.outputs.token }}") {
-		t.Error("Expected ANTHROPIC_API_KEY to use token from OIDC setup step")
+	// Verify OAuth token is used from OIDC setup step
+	if !strings.Contains(stepsStr, "CLAUDE_CODE_OAUTH_TOKEN: ${{ steps.setup_oidc_token.outputs.token }}") {
+		t.Error("Expected CLAUDE_CODE_OAUTH_TOKEN to use token from OIDC setup step")
 	}
 
 	// Verify setup step uses github-script
@@ -176,9 +176,9 @@ func TestClaudeEngineWithoutOIDC(t *testing.T) {
 		t.Error("Expected OIDC revoke step to be present - Claude has OIDC enabled by default")
 	}
 
-	// Verify token uses OIDC token from setup step
-	if !strings.Contains(stepsStr, "ANTHROPIC_API_KEY: ${{ steps.setup_oidc_token.outputs.token }}") {
-		t.Error("Expected ANTHROPIC_API_KEY to use OIDC token from setup step - Claude has OIDC enabled by default")
+	// Verify OAuth token uses OIDC token from setup step
+	if !strings.Contains(stepsStr, "CLAUDE_CODE_OAUTH_TOKEN: ${{ steps.setup_oidc_token.outputs.token }}") {
+		t.Error("Expected CLAUDE_CODE_OAUTH_TOKEN to use OAuth token from setup step - Claude has OIDC enabled by default")
 	}
 
 	// Verify default OIDC configuration values