openai api behind Oauth2?

[tamis-laan]

I'm working on a project where we have openai protected behind a Oauth2 endpoint. Which works like a proxy, it recieves api calls we need to authenticate with oauth2 and then the requests are forwarded to I believe Azure openai.

I would like to use the official openai python client instead of writting my own httpx wrapper around the api. So I basically need to override the OpenAI class and implement my own authentication flow.

Can someone tell me how to do this? Which methods should I override? Are there examples of this I can use as reference? All help would be appreciated.

[manimovassagh]

You can do this without subclassing by using the http_client parameter with a custom httpx client that handles OAuth2 token injection.

Here's a clean approach:

import httpx
from openai import OpenAI

class OAuth2Auth(httpx.Auth):
    def __init__(self, token_url, client_id, client_secret):
        self.token_url = token_url
        self.client_id = client_id
        self.client_secret = client_secret
        self._token = None

    def auth_flow(self, request):
        if not self._token:
            self._fetch_token()
        request.headers["Authorization"] = f"Bearer {self._token}"
        yield request

    def _fetch_token(self):
        resp = httpx.post(
            self.token_url,
            data={
                "grant_type": "client_credentials",
                "client_id": self.client_id,
                "client_secret": self.client_secret,
            },
        )
        resp.raise_for_status()
        self._token = resp.json()["access_token"]


auth = OAuth2Auth(
    token_url="https://your-idp.com/oauth/token",
    client_id="your-client-id",
    client_secret="your-client-secret",
)

http_client = httpx.Client(auth=auth)

client = OpenAI(
    base_url="https://your-proxy-endpoint.com/v1",
    api_key="unused",  # set to any string; your proxy handles real auth
    http_client=http_client,
)

# Now use it normally
response = client.chat.completions.create(
    model="gpt-4",
    messages=[{"role": "user", "content": "Hello"}],
)

Key points:

• httpx.Auth hooks into every request to inject/refresh the OAuth2 token automatically
• base_url points to your proxy instead of api.openai.com
• Set api_key to any non-empty string (the SDK requires it but your proxy ignores it)
• For token refresh, add expiry tracking in auth_flow and re-fetch when the token expires

If your proxy expects the OpenAI API key in addition to the OAuth2 token, keep api_key set to your real key and use a different header name for OAuth2 in your custom auth class.

[Bahtya]

Using the OpenAI client with a custom OAuth2 proxy

You can achieve this with httpx event hooks or by passing a custom httpx.Auth instance. Here are two approaches:

Approach 1: Custom httpx.Auth class (recommended)

The OpenAI Python client uses httpx under the hood. You can inject a custom auth handler:

import httpx
from openai import OpenAI

class OAuth2Auth(httpx.Auth):
    def __init__(self, token_url: str, client_id: str, client_secret: str):
        self.token_url = token_url
        self.client_id = client_id
        self.client_secret = client_secret
        self._token: str | None = None

    def auth_flow(self, request: httpx.Request):
        if self._token is None:
            # Fetch OAuth2 token
            response = httpx.post(
                self.token_url,
                data={
                    "grant_type": "client_credentials",
                    "client_id": self.client_id,
                    "client_secret": self.client_secret,
                },
            )
            response.raise_for_status()
            self._token = response.json()["access_token"]

        request.headers["Authorization"] = f"Bearer {self._token}"
        yield request

# Use it
auth = OAuth2Auth(
    token_url="https://your-oauth-server/token",
    client_id="your-client-id",
    client_secret="your-client-secret",
)

client = OpenAI(
    base_url="https://your-proxy.example.com/v1",
    api_key="not-needed",  # Required by the client but auth is handled by OAuth2
    http_client=httpx.Client(auth=auth),
)

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Hello!"}],
)

Approach 2: Use AzureOpenAI client with custom endpoint

If your proxy forwards to Azure OpenAI, you might be able to use the built-in Azure support:

from openai import AzureOpenAI

client = AzureOpenAI(
    azure_endpoint="https://your-proxy.example.com",
    api_version="2024-02-01",
    api_key="your-azure-key",  # Or use DefaultAzureCredential
)

Key points

• Set base_url to your proxy URL
• Pass a custom httpx.Client with your auth handler via http_client
• The api_key parameter is still required by the constructor but your proxy can ignore it if OAuth2 handles auth
• The auth_flow method handles token refresh if the server returns 401 (you can add retry logic)

[x-tahosin]

You don't actually need to subclass OpenAI — the SDK already accepts a base_url and a custom httpx.Client (or AsyncClient for AsyncOpenAI) at construction. Put your OAuth handling in the http client and the rest of the SDK works unchanged:

import time
from typing import Optional
import httpx
from openai import OpenAI

class OAuthTokenManager:
    """Caches the bearer token and refreshes it on demand."""
    def __init__(self, token_endpoint: str, client_id: str, client_secret: str):
        self._endpoint = token_endpoint
        self._client_id = client_id
        self._client_secret = client_secret
        self._token: Optional[str] = None
        self._expires_at: float = 0

    def get(self) -> str:
        if self._token and time.time() < self._expires_at - 30:
            return self._token
        # Client-credentials flow shown — adapt to your IdP
        r = httpx.post(self._endpoint, data={
            "grant_type": "client_credentials",
            "client_id": self._client_id,
            "client_secret": self._client_secret,
        })
        r.raise_for_status()
        body = r.json()
        self._token = body["access_token"]
        self._expires_at = time.time() + body.get("expires_in", 3600)
        return self._token

tokens = OAuthTokenManager(
    token_endpoint="https://idp.example.com/oauth2/token",
    client_id="...",
    client_secret="...",
)

def add_oauth_header(request: httpx.Request) -> None:
    request.headers["Authorization"] = f"Bearer {tokens.get()}"

http_client = httpx.Client(
    event_hooks={"request": [add_oauth_header]},
    timeout=httpx.Timeout(60.0, connect=10.0),
)

client = OpenAI(
    base_url="https://your-oauth-proxy.example.com/v1",
    api_key="placeholder",   # required by the SDK; your proxy ignores it
    http_client=http_client,
)

resp = client.chat.completions.create(
    model="gpt-4o-mini",
    messages=[{"role": "user", "content": "hi"}],
)

Notes:

• The api_key field is required by the SDK constructor (it'll error out at validation if you pass None/empty), but since your proxy is doing auth, the value is never actually used by your IdP — "placeholder" or any non-empty string is fine. Set the env var OPENAI_API_KEY=placeholder if you'd rather not hard-code it.
• The event_hooks={"request": [...]} is httpx's blessed way to add per-request mutations. Token caching + refresh-on-near-expiry happens in OAuthTokenManager so you're not hitting your IdP every call.
• For async, swap to httpx.AsyncClient(event_hooks={"request": [add_oauth_header_async]}) and pass to AsyncOpenAI(http_client=...). The hook can be async — just await tokens.get().
• If your proxy speaks Azure-style URLs (/openai/deployments/<name>/chat/completions?api-version=...) rather than the OpenAI shape (/v1/chat/completions), use AzureOpenAI instead of OpenAI — same base_url + http_client pattern applies.

Ref: https://github.com/openai/openai-python#configuring-the-http-client