fix: restore Azure AD bearer token support in api_key auth#3374
fix: restore Azure AD bearer token support in api_key auth#3374Oxygen56 wants to merge 1 commit into
Conversation
When bearer_auth is set in security options (the default for all requests), the Azure client's _auth_headers now returns Authorization: Bearer using the api_key value, restoring the v2.33.0 behavior where AAD bearer tokens passed via api_key worked correctly. In v2.34.0, an _auth_headers override was added that unconditionally sent api_key as an api-key header, breaking setups where an Azure AD token was passed through the api_key parameter (e.g., with Azure API Management proxies). Fixes openai#3282 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 705dc36d7d
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| if security.get("bearer_auth", False): | ||
| return {"Authorization": f"Bearer {self.api_key}"} |
There was a problem hiding this comment.
When an AzureOpenAI client is configured with api_key and calls any operation generated with security={"bearer_auth": True}, _prepare_options() still injects the api-key header into options.headers before _build_headers() merges these auth headers. Returning Authorization here therefore sends both Authorization: Bearer ... and api-key: ..., so the endpoint-level switch to bearer auth is not actually exclusive and can be rejected by Azure services that require a single auth scheme; the async override has the same issue.
Useful? React with 👍 / 👎.
1 participant
Fixes regression in Azure AD bearer token authentication where AAD tokens
passed via
api_keystopped working after v2.34.0.Problem
In v2.34.0,
AzureOpenAI._auth_headerswas added as an override thatunconditionally sends
api_keyas anapi-keyheader. This brokesetups where an Azure AD bearer token was passed through the
api_keyparameter, which was the standard approach before
azure_ad_tokenwasintroduced.
When using an Azure API Management proxy (or any endpoint expecting
Authorization: Bearer), the token being sent asapi-keyinsteadof
Authorization: Bearerresults in a 401 error.Fix
The
_auth_headersmethod in bothAzureOpenAIandAsyncAzureOpenAInow respects the
bearer_authflag fromSecurityOptions(whichdefaults to
Truefor all requests). Whenbearer_authis True andazure_ad_tokenis not set,api_keyis sent as anAuthorization: Bearerheader, restoring the v2.33.0 behavior.azure_ad_tokenis still sent asAuthorization: Bearer(unchanged)api_keywithbearer_auth=Trueis sent asAuthorization: Bearer(restored)api_keywithoutbearer_authis sent asapi-key(unchanged)Fixes #3282
🤖 Generated with Claude Code