Use well-known OidcToken paths or command line arguments to determine OidcToken executable path

author: Liam Mitchell <[email protected]> 2026-01-14 15:34:57 -0800
committer: Liam Mitchell <[email protected]> 2026-01-14 15:36:09 -0800
commit: e44934cf1b4783420f5a4c6acbdbac44488d92a9 (patch)
tree: 54514f3878421108ce26a1f88eafda95aa90f6aa /src
parent: added early-out check in GcManager::ScrubStorage(ScrubContext& GcCtx) (#698) (diff)
download: zen-e44934cf1b4783420f5a4c6acbdbac44488d92a9.tar.xz
zen-e44934cf1b4783420f5a4c6acbdbac44488d92a9.zip
10 files changed, 119 insertions, 73 deletions
diff --git a/src/zen/authutils.cpp b/src/zen/authutils.cpp
index fdcb8e15d..cf6179b5e 100644
--- a/src/zen/authutils.cpp
+++ b/src/zen/authutils.cpp
@@ -51,34 +51,6 @@ ReadAccessTokenFromJsonFile(const std::filesystem::path& Path)
 	return AuthToken;
 }
 
-std::filesystem::path
-FindOidcTokenExePath(std::string_view OidcTokenAuthExecutablePath)
-{
-	if (OidcTokenAuthExecutablePath.empty())
-	{
-		const std::string	  OidcExecutableName = "OidcToken" ZEN_EXE_SUFFIX_LITERAL;
-		std::filesystem::path OidcTokenPath		 = (GetRunningExecutablePath().parent_path() / OidcExecutableName).make_preferred();
-		if (IsFile(OidcTokenPath))
-		{
-			return OidcTokenPath;
-		}
-		OidcTokenPath = (std::filesystem::current_path() / OidcExecutableName).make_preferred();
-		if (IsFile(OidcTokenPath))
-		{
-			return OidcTokenPath;
-		}
-	}
-	else
-	{
-		std::filesystem::path OidcTokenPath = std::filesystem::absolute(StringToPath(OidcTokenAuthExecutablePath)).make_preferred();
-		if (IsFile(OidcTokenPath))
-		{
-			return OidcTokenPath;
-		}
-	}
-	return {};
-};
-
 void
 AuthCommandLineOptions::AddOptions(cxxopts::Options& Ops)
 {
diff --git a/src/zen/authutils.h b/src/zen/authutils.h
index 2201c3f83..fa9670b3f 100644
--- a/src/zen/authutils.h
+++ b/src/zen/authutils.h
@@ -3,6 +3,7 @@
 #pragma once
 
 #include "zen.h"
+#include "zenutil/authutils.h"
 
 namespace zen {
 
@@ -46,8 +47,7 @@ struct AuthCommandLineOptions
 					  bool						   Verbose);
 };
 
-std::string			  ReadAccessTokenFromJsonFile(const std::filesystem::path& Path);
-std::string_view	  GetDefaultAccessTokenEnvVariableName();
-std::filesystem::path FindOidcTokenExePath(std::string_view OidcTokenAuthExecutablePath);
+std::string		 ReadAccessTokenFromJsonFile(const std::filesystem::path& Path);
+std::string_view GetDefaultAccessTokenEnvVariableName();
 
 }  // namespace zen
diff --git a/src/zencore/filesystem.cpp b/src/zencore/filesystem.cpp
index 7f341818b..8adb66972 100644
--- a/src/zencore/filesystem.cpp
+++ b/src/zencore/filesystem.cpp
@@ -2756,6 +2756,18 @@ GetEnvVariable(std::string_view VariableName)
 	return "";
 }
 
+bool
+SetEnvVariable(std::string Name, std::string Value)
+{
+	ZEN_ASSERT(!Name.empty() && !Value.empty());
+#if ZEN_PLATFORM_WINDOWS
+	return SetEnvironmentVariableA(Name.c_str(), Value.c_str());
+#endif
+#if ZEN_PLATFORM_LINUX || ZEN_PLATFORM_MAC
+	return setenv(Name.c_str(), Value.c_str(), /* overwrite */ 1) == 0;
+#endif
+}
+
 std::error_code
 RotateFiles(const std::filesystem::path& Filename, std::size_t MaxFiles)
 {
diff --git a/src/zencore/include/zencore/filesystem.h b/src/zencore/include/zencore/filesystem.h
index b4906aebf..b7422d389 100644
--- a/src/zencore/include/zencore/filesystem.h
+++ b/src/zencore/include/zencore/filesystem.h
@@ -378,6 +378,7 @@ void GetDirectoryContent(const std::filesystem::path& RootDir,
 						 Latch&						  PendingWorkCount);
 
 std::string GetEnvVariable(std::string_view VariableName);
+bool		SetEnvVariable(std::string Name, std::string Value);
 
 std::filesystem::path SearchPathForExecutable(std::string_view ExecutableName);
 
diff --git a/src/zenserver/config/config.cpp b/src/zenserver/config/config.cpp
index 18187711b..f5170add8 100644
--- a/src/zenserver/config/config.cpp
+++ b/src/zenserver/config/config.cpp
@@ -182,6 +182,7 @@ struct ZenServerCmdLineOptions
 	std::string DataDir;
 	std::string AbsLogFile;
 	std::string BaseSnapshotDir;
+	std::string OidcTokenExecutable;
 
 	void AddCliOptions(cxxopts::Options& options, ZenServerConfig& ServerOptions);
 	void ApplyOptions(cxxopts::Options& options, ZenServerConfig& ServerOptions);
@@ -374,6 +375,13 @@ ZenServerCmdLineOptions::AddCliOptions(cxxopts::Options& options, ZenServerConfi
 					   "",
 					   cxxopts::value<bool>(ServerOptions.StatsConfig.Enabled)->default_value("false"),
 					   "Enable statsd reporter (localhost:8125)");
+
+	options.add_option("auth",
+					   "",
+					   "oidctoken-exe-path",
+					   "Path to OidcToken executable",
+					   cxxopts::value<std::string>(OidcTokenExecutable)->default_value(""),
+					   "");
 }
 
 void
@@ -388,12 +396,13 @@ ZenServerCmdLineOptions::ApplyOptions(cxxopts::Options& options, ZenServerConfig
 			throw std::runtime_error(fmt::format("'--snapshot-dir' ('{}') must be a directory", ServerOptions.BaseSnapshotDir));
 	}
 
-	ServerOptions.SystemRootDir	  = MakeSafeAbsolutePath(SystemRootDir);
-	ServerOptions.DataDir		  = MakeSafeAbsolutePath(DataDir);
-	ServerOptions.ContentDir	  = MakeSafeAbsolutePath(ContentDir);
-	ServerOptions.AbsLogFile	  = MakeSafeAbsolutePath(AbsLogFile);
-	ServerOptions.ConfigFile	  = MakeSafeAbsolutePath(ConfigFile);
-	ServerOptions.BaseSnapshotDir = MakeSafeAbsolutePath(BaseSnapshotDir);
+	ServerOptions.SystemRootDir		  = MakeSafeAbsolutePath(SystemRootDir);
+	ServerOptions.DataDir			  = MakeSafeAbsolutePath(DataDir);
+	ServerOptions.ContentDir		  = MakeSafeAbsolutePath(ContentDir);
+	ServerOptions.AbsLogFile		  = MakeSafeAbsolutePath(AbsLogFile);
+	ServerOptions.ConfigFile		  = MakeSafeAbsolutePath(ConfigFile);
+	ServerOptions.BaseSnapshotDir	  = MakeSafeAbsolutePath(BaseSnapshotDir);
+	ServerOptions.OidcTokenExecutable = MakeSafeAbsolutePath(OidcTokenExecutable);
 }
 
 //////////////////////////////////////////////////////////////////////////
diff --git a/src/zenserver/config/config.h b/src/zenserver/config/config.h
index 40639da13..2d37697cd 100644
--- a/src/zenserver/config/config.h
+++ b/src/zenserver/config/config.h
@@ -55,14 +55,15 @@ struct ZenServerConfig
 	bool				  IsDedicated	  = false;	// Indicates a dedicated/shared instance, with larger resource requirements
 	bool				  ShouldCrash	  = false;	// Option for testing crash handling
 	bool				  IsFirstRun	  = false;
-	std::filesystem::path ConfigFile;		// Path to Lua config file
-	std::filesystem::path SystemRootDir;	// System root directory (used for machine level config)
-	std::filesystem::path ContentDir;		// Root directory for serving frontend content (experimental)
-	std::filesystem::path DataDir;			// Root directory for state (used for testing)
-	std::filesystem::path AbsLogFile;		// Absolute path to main log file
-	std::filesystem::path BaseSnapshotDir;	// Path to server state snapshot (will be copied into data dir on start)
-	std::string			  ChildId;			// Id assigned by parent process (used for lifetime management)
-	std::string			  LogId;			// Id for tagging log output
+	std::filesystem::path ConfigFile;			// Path to Lua config file
+	std::filesystem::path SystemRootDir;		// System root directory (used for machine level config)
+	std::filesystem::path ContentDir;			// Root directory for serving frontend content (experimental)
+	std::filesystem::path DataDir;				// Root directory for state (used for testing)
+	std::filesystem::path AbsLogFile;			// Absolute path to main log file
+	std::filesystem::path BaseSnapshotDir;		// Path to server state snapshot (will be copied into data dir on start)
+	std::filesystem::path OidcTokenExecutable;	// Path to OidcToken executable to use for auth
+	std::string			  ChildId;				// Id assigned by parent process (used for lifetime management)
+	std::string			  LogId;				// Id for tagging log output
 	std::string			  Loggers[zen::logging::level::LogLevelCount];
 #if ZEN_WITH_TRACE
 	bool		 HasTraceCommandlineOptions = false;
diff --git a/src/zenserver/storage/projectstore/httpprojectstore.cpp b/src/zenserver/storage/projectstore/httpprojectstore.cpp
index 4e947f221..3a48ef595 100644
--- a/src/zenserver/storage/projectstore/httpprojectstore.cpp
+++ b/src/zenserver/storage/projectstore/httpprojectstore.cpp
@@ -23,6 +23,7 @@
 #include <zenstore/oplogreferencedset.h>
 #include <zenstore/projectstore.h>
 #include <zenstore/zenstore.h>
+#include <zenutil/authutils.h>
 #include <zenutil/openprocesscache.h>
 #include <zenutil/workerpools.h>
 
@@ -101,7 +102,6 @@ CSVWriteOp(CidStore&					   CidStore,
 //////////////////////////////////////////////////////////////////////////
 
 namespace {
-
 	void CbWriteOp(CidStore&					   CidStore,
 				   bool							   Details,
 				   bool							   OpDetails,
@@ -317,19 +317,9 @@ namespace {
 					AccessToken = GetEnvVariable(AccessTokenEnvVariable);
 				}
 			}
-			std::filesystem::path OidcExePath;
-			if (std::string_view OidcExePathString = Cloud["oidc-exe-path"].AsString(); !OidcExePathString.empty())
-			{
-				std::filesystem::path OidcExePathMaybe(OidcExePathString);
-				if (IsFile(OidcExePathMaybe))
-				{
-					OidcExePath = std::move(OidcExePathMaybe);
-				}
-				else
-				{
-					ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
-				}
-			}
+
+			std::filesystem::path OidcExePath = FindOidcTokenExePath("");
+
 			std::string_view KeyParam = Cloud["key"sv].AsString();
 			if (KeyParam.empty())
 			{
@@ -435,20 +425,8 @@ namespace {
 					AccessToken = GetEnvVariable(AccessTokenEnvVariable);
 				}
 			}
-			std::filesystem::path OidcExePath;
-			if (std::string_view OidcExePathString = Builds["oidc-exe-path"].AsString(); !OidcExePathString.empty())
-			{
-				std::filesystem::path OidcExePathMaybe(OidcExePathString);
-				if (IsFile(OidcExePathMaybe))
-				{
-					OidcExePath = std::move(OidcExePathMaybe);
-				}
-				else
-				{
-					ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
-				}
-			}
-			std::string_view BuildIdParam = Builds["buildsid"sv].AsString();
+			std::filesystem::path OidcExePath  = FindOidcTokenExePath("");
+			std::string_view	  BuildIdParam = Builds["buildsid"sv].AsString();
 			if (BuildIdParam.empty())
 			{
 				return {nullptr, "Missing build id"};
diff --git a/src/zenserver/zenserver.cpp b/src/zenserver/zenserver.cpp
index ab8dbb16b..d5c9558aa 100644
--- a/src/zenserver/zenserver.cpp
+++ b/src/zenserver/zenserver.cpp
@@ -24,6 +24,7 @@
 #include <zencore/workthreadpool.h>
 #include <zenhttp/httpserver.h>
 #include <zentelemetry/otlptrace.h>
+#include <zenutil/authutils.h>
 #include <zenutil/service.h>
 #include <zenutil/workerpools.h>
 #include <zenutil/zenserverprocess.h>
@@ -127,6 +128,11 @@ ZenServerBase::Initialize(const ZenServerConfig& ServerOptions, ZenServerState::
 
 	EnqueueSigIntTimer();
 
+	if (!ServerOptions.OidcTokenExecutable.empty())
+	{
+		SetEnvVariable(std::string(GetOidcTokenPathEnvVariableName()), ServerOptions.OidcTokenExecutable.string());
+	}
+
 	m_Http				  = CreateHttpServer(ServerOptions.HttpConfig);
 	int EffectiveBasePort = m_Http->Initialize(ServerOptions.BasePort, ServerOptions.DataDir);
 	if (EffectiveBasePort == 0)
diff --git a/src/zenutil/authutils.cpp b/src/zenutil/authutils.cpp
new file mode 100644
index 000000000..1db2072cb
--- /dev/null
+++ b/src/zenutil/authutils.cpp
@@ -0,0 +1,55 @@
+// Copyright Epic Games, Inc. All Rights Reserved.
+
+#include "zenutil/authutils.h"
+#include "zenutil/commandlineoptions.h"
+
+#include <zencore/filesystem.h>
+
+namespace zen {
+using namespace std::literals;
+
+std::string_view
+GetOidcTokenPathEnvVariableName()
+{
+#if ZEN_PLATFORM_WINDOWS
+	return "UE-OidcTokenExePath"sv;
+#endif
+#if ZEN_PLATFORM_LINUX || ZEN_PLATFORM_MAC
+	return "UE_OidcTokenExePath"sv;
+#endif
+}
+
+std::filesystem::path
+FindOidcTokenExePath(std::string_view OidcTokenAuthExecutablePath)
+{
+	if (OidcTokenAuthExecutablePath.empty())
+	{
+		std::filesystem::path OidcTokenPath = GetEnvVariable(GetOidcTokenPathEnvVariableName());
+		if (IsFile(OidcTokenPath))
+		{
+			return OidcTokenPath;
+		}
+		const std::string OidcExecutableName = "OidcToken" ZEN_EXE_SUFFIX_LITERAL;
+		OidcTokenPath						 = (GetRunningExecutablePath().parent_path() / OidcExecutableName).make_preferred();
+		if (IsFile(OidcTokenPath))
+		{
+			return OidcTokenPath;
+		}
+		OidcTokenPath = (std::filesystem::current_path() / OidcExecutableName).make_preferred();
+		if (IsFile(OidcTokenPath))
+		{
+			return OidcTokenPath;
+		}
+	}
+	else
+	{
+		std::filesystem::path OidcTokenPath = std::filesystem::absolute(StringToPath(OidcTokenAuthExecutablePath)).make_preferred();
+		if (IsFile(OidcTokenPath))
+		{
+			return OidcTokenPath;
+		}
+	}
+	return {};
+};
+
+}  // namespace zen
diff --git a/src/zenutil/include/zenutil/authutils.h b/src/zenutil/include/zenutil/authutils.h
new file mode 100644
index 000000000..92ccad4b4
--- /dev/null
+++ b/src/zenutil/include/zenutil/authutils.h
@@ -0,0 +1,12 @@
+// Copyright Epic Games, Inc. All Rights Reserved.
+
+#pragma once
+
+#include <filesystem>
+
+namespace zen {
+
+std::string_view	  GetOidcTokenPathEnvVariableName();
+std::filesystem::path FindOidcTokenExePath(std::string_view OidcTokenAuthExecutablePath);
+
+}  // namespace zen
author	Liam Mitchell <[email protected]>	2026-01-14 15:34:57 -0800
committer	Liam Mitchell <[email protected]>	2026-01-14 15:36:09 -0800
commit	e44934cf1b4783420f5a4c6acbdbac44488d92a9 (patch)
tree	54514f3878421108ce26a1f88eafda95aa90f6aa /src
parent	added early-out check in GcManager::ScrubStorage(ScrubContext& GcCtx) (#698) (diff)
download	zen-e44934cf1b4783420f5a4c6acbdbac44488d92a9.tar.xz zen-e44934cf1b4783420f5a4c6acbdbac44488d92a9.zip