fix: GitHub Copilot auth fails to open browser in Desktop app (#6957)

Cargo.toml

@@ -21,6 +21,7 @@ string_slice = "warn"
 [workspace.dependencies]
 rmcp = { version = "1.2.0", features = ["schemars", "auth"] }
 sacp = "10.1.0"
+arboard = "3"
 anyhow = "1.0"
 async-stream = "0.3"
 async-trait = "0.1"

crates/goose/Cargo.toml

@@ -25,6 +25,7 @@ rmcp = { workspace = true, features = [
     "transport-streamable-http-client-reqwest",
 ] }
 oauth2 = "5.0"
+arboard = { workspace = true }
 anyhow = { workspace = true }
 thiserror = { workspace = true }
 futures = { workspace = true }

crates/goose/src/providers/base.rs

@@ -266,9 +266,13 @@ pub struct ConfigKey {
     pub secret: bool,
     /// Optional default value for the key
     pub default: Option<String>,
-    /// Whether this key should be configured using OAuth device code flow
+    /// Whether this key should be configured using an OAuth flow
     /// When true, the provider's configure_oauth() method will be called instead of prompting for manual input
     pub oauth_flow: bool,
+    /// Whether this OAuth flow uses the device code grant (RFC 8628)
+    /// When true, the user must enter a verification code in the browser
+    #[serde(default)]
+    pub device_code_flow: bool,
     /// Whether this key should be shown prominently during provider setup
     /// (onboarding, settings modal, CLI configure)
     #[serde(default)]
@@ -290,6 +294,7 @@ impl ConfigKey {
             secret,
             default: default.map(|s| s.to_string()),
             oauth_flow: false,
+            device_code_flow: false,
             primary,
         }
     }
@@ -301,11 +306,12 @@ impl ConfigKey {
             secret,
             default: Some(T::DEFAULT.to_string()),
             oauth_flow: false,
+            device_code_flow: false,
             primary,
         }
     }
 
-    /// Create a new ConfigKey that uses OAuth device code flow for configuration
+    /// Create a new ConfigKey that uses an OAuth flow for configuration
     ///
     /// This is used for providers that support OAuth authentication instead of manual API key entry.
     /// When oauth_flow is true, the configuration system will call the provider's configure_oauth() method.
@@ -322,6 +328,29 @@ impl ConfigKey {
             secret,
             default: default.map(|s| s.to_string()),
             oauth_flow: true,
+            device_code_flow: false,
+            primary,
+        }
+    }
+
+    /// Create a new ConfigKey that uses OAuth device code flow (RFC 8628) for configuration
+    ///
+    /// Similar to new_oauth, but indicates the provider uses the device code grant where the user
+    /// must enter a verification code in the browser.
+    pub fn new_oauth_device_code(
+        name: &str,
+        required: bool,
+        secret: bool,
+        default: Option<&str>,
+        primary: bool,
+    ) -> Self {
+        Self {
+            name: name.to_string(),
+            required,
+            secret,
+            default: default.map(|s| s.to_string()),
+            oauth_flow: true,
+            device_code_flow: true,
             primary,
         }
     }

crates/goose/src/providers/githubcopilot.rs

@@ -285,6 +285,16 @@ impl GithubCopilotProvider {
     async fn login(&self) -> Result<String> {
         let device_code_info = self.get_device_code().await?;
 
+        if let Ok(mut clipboard) = arboard::Clipboard::new() {
+            if let Err(e) = clipboard.set_text(&device_code_info.user_code) {
+                tracing::warn!("Failed to copy verification code to clipboard: {}", e);
+            }
+        }
+
+        if let Err(e) = webbrowser::open(&device_code_info.verification_uri) {
+            tracing::warn!("Failed to open browser: {}", e);
+        }
+
         println!(
             "Please visit {} and enter code {}",
             device_code_info.verification_uri, device_code_info.user_code
@@ -402,7 +412,7 @@ impl ProviderDef for GithubCopilotProvider {
             GITHUB_COPILOT_DEFAULT_MODEL,
             GITHUB_COPILOT_KNOWN_MODELS.to_vec(),
             GITHUB_COPILOT_DOC_URL,
-            vec![ConfigKey::new_oauth(
+            vec![ConfigKey::new_oauth_device_code(
                 "GITHUB_COPILOT_TOKEN",
                 true,
                 true,

ui/desktop/openapi.json

@@ -4170,13 +4170,17 @@
             "description": "Optional default value for the key",
             "nullable": true
           },
+          "device_code_flow": {
+            "type": "boolean",
+            "description": "Whether this OAuth flow uses the device code grant (RFC 8628)\nWhen true, the user must enter a verification code in the browser"
+          },
           "name": {
             "type": "string",
             "description": "The name of the configuration key (e.g., \"API_KEY\")"
           },
           "oauth_flow": {
             "type": "boolean",
-            "description": "Whether this key should be configured using OAuth device code flow\nWhen true, the provider's configure_oauth() method will be called instead of prompting for manual input"
+            "description": "Whether this key should be configured using an OAuth flow\nWhen true, the provider's configure_oauth() method will be called instead of prompting for manual input"
           },
           "primary": {
             "type": "boolean",

ui/desktop/src/api/types.gen.ts

@@ -90,12 +90,17 @@ export type ConfigKey = {
      * Optional default value for the key
      */
     default?: string | null;
+    /**
+     * Whether this OAuth flow uses the device code grant (RFC 8628)
+     * When true, the user must enter a verification code in the browser
+     */
+    device_code_flow?: boolean;
     /**
      * The name of the configuration key (e.g., "API_KEY")
      */
     name: string;
     /**
-     * Whether this key should be configured using OAuth device code flow
+     * Whether this key should be configured using an OAuth flow
      * When true, the provider's configure_oauth() method will be called instead of prompting for manual input
      */
     oauth_flow: boolean;

ui/desktop/src/components/onboarding/ProviderConfigForm.tsx

@@ -56,6 +56,8 @@ function OAuthForm({
     }
   };
 
+  const isDeviceCodeFlow = provider.metadata.config_keys.some((key) => key.device_code_flow);
+
   return (
     <div className="flex flex-col items-center gap-3 py-4">
       <Button
@@ -68,7 +70,9 @@ function OAuthForm({
         {isLoading ? 'Signing in...' : `Sign in with ${provider.metadata.display_name}`}
       </Button>
       <p className="text-xs text-text-muted text-center">
-        A browser window will open for you to complete the login.
+        {isDeviceCodeFlow
+          ? 'A browser window will open and the verification code will be copied to your clipboard. Paste it in the browser to complete sign-in.'
+          : 'A browser window will open for you to complete the login.'}
       </p>
     </div>
   );

ui/desktop/src/components/settings/providers/modal/ProviderConfiguationModal.tsx

@@ -238,7 +238,9 @@ export default function ProviderConfigurationModal({
                       : `Sign in with ${provider.metadata.display_name}`}
                   </Button>
                   <p className="text-sm text-text-secondary text-center">
-                    A browser window will open for you to complete the login.
+                    {provider.metadata.config_keys.some((key) => key.device_code_flow)
+                      ? 'A browser window will open and the verification code will be copied to your clipboard. Paste it in the browser to complete sign-in.'
+                      : 'A browser window will open for you to complete the login.'}
                   </p>
                 </div>
               ) : (