Skip to content

[awf] api-proxy: BYOK Authorization header malformed for external providers (OpenRouter/Azure) #2729

Description

@lpcox

Problem

When COPILOT_PROVIDER_API_KEY is set for BYOK mode with an external provider (e.g. OpenRouter), every request through the api-proxy fails with 400 bad request: Authorization header is badly formatted. All retries exhaust and the agent run fails entirely.

Context

Reported in github/gh-aw#30169. Affects v0.71.4 with COPILOT_PROVIDER_BASE_URL pointing to a non-GitHub provider. The api-proxy receives the request but constructs a malformed Authorization header before forwarding.

Root Cause

In containers/api-proxy/, the proxy likely prepends token (GitHub-style) or Bearer in a duplicated or incorrectly cased form to the outgoing Authorization header when the upstream is an external provider that expects a plain Bearer <key> format. The header may also be double-encoded if the Copilot client already adds its own Authorization value.

Proposed Solution

  1. In the api-proxy handler for the Copilot port (10002), detect whether COPILOT_PROVIDER_BASE_URL is non-GitHub and apply the appropriate header format (Bearer <key> only, stripping any client-supplied auth).
  2. Add provider-type-specific header normalization in containers/api-proxy/.
  3. Add integration tests for the OpenRouter/Azure OpenAI external-provider path verifying the exact Authorization header format sent upstream.

Generated by Firewall Issue Dispatcher · ● 1.3M ·

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions