refactor(api-proxy): collapse repeated OIDC header setup into createProviderOidcHeaderStrategy#6038
Conversation
…er setup duplication across provider adapters Adds a `createProviderOidcHeaderStrategy(env, oidcAuthOptions, headerOptions)` helper to `cloud-oidc-init.js` that combines the previously repeated two-step pattern: 1. `createProviderOidcAuth(...)` → get OIDC metadata + `resolveAuthHeaders` 2. `createProviderOidcHeaderResolver(...)` → wrap into `resolveHeaders()` All three provider adapters (openai, anthropic, copilot) now use a single call instead of two, keeping the common credential-resolution lifecycle in one place so OIDC token behavior, static fallback behavior, and integration headers cannot drift across providers. Closes #6016
createProviderOidcHeaderStrategy
There was a problem hiding this comment.
Pull request overview
This PR refactors the api-proxy provider adapters to use a single, shared helper for OIDC-vs-static auth header resolution, reducing duplicated setup logic and the risk of behavioral drift across providers.
Changes:
- Introduces
createProviderOidcHeaderStrategy(...)to combine OIDC auth initialization and header resolution into one reusable entrypoint. - Updates OpenAI, Anthropic, and Copilot adapters to replace the repeated two-step OIDC header wiring with a single
resolveHeaders()call from the new strategy. - Adds unit tests covering the new strategy’s behavior for static-only, OIDC-ready, and OIDC-not-ready (fail-closed) scenarios, plus option forwarding and decorator composition.
Show a summary per file
| File | Description |
|---|---|
| containers/api-proxy/providers/cloud-oidc-init.js | Adds createProviderOidcHeaderStrategy to encapsulate common OIDC header setup logic. |
| containers/api-proxy/providers/openai.js | Switches OpenAI adapter to the new strategy and uses resolveHeaders() for request auth headers. |
| containers/api-proxy/providers/anthropic.js | Switches Anthropic adapter to the new strategy and reuses resolveHeaders() across validation/models/auth paths. |
| containers/api-proxy/providers/copilot.js | Switches Copilot adapter to the new strategy, preserving provider-specific header decoration and prefix behavior. |
| containers/api-proxy/providers/cloud-oidc-init.test.js | Adds test coverage validating the new strategy’s behavior and option forwarding. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 5/5 changed files
- Comments generated: 0
- Review effort level: Low
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
✅ Build Test Suite completed successfully! |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
✅ Smoke Claude passed |
|
✅ Smoke Gemini completed. All facets verified. 💎 Smoke test completed. Connectivity: ❌ (000), PR Listing: ❌ (Tools missing), File Writing: ✅, Bash: ✅. Overall: FAIL. |
|
❌ Security Guard failed. Please review the logs for details. |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
🔌 Smoke Services — All services reachable! ✅ |
|
✅ Contribution Check completed successfully! PR follows all applicable contribution guidelines based on the provided metadata, diff, and CONTRIBUTING.md. |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 98.98% | 98.98% | ➡️ +0.00% |
| Statements | 98.94% | 98.94% | ➡️ +0.00% |
| Functions | 99.44% | 99.44% | ➡️ +0.00% |
| Branches | 95.64% | 95.60% | 📉 -0.04% |
Coverage comparison generated by scripts/ci/compare-coverage.ts
|
✅ Smoke Test: Copilot BYOK (Direct) Mode - PASS
Running in direct BYOK mode via COPILOT_PROVIDER_API_KEY. All tests passed. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Services Connectivity
Overall: FAIL — Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🔥 Smoke Test: Copilot PAT Auth
Overall: PASS | Auth mode: PAT (COPILOT_GITHUB_TOKEN) Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Claude Engine Validation
Overall Result: PASS ✅ Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
GitHub MCP merged PRs: validated ✅ Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🔥 Copilot Smoke Test — PASS
Overall: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test Results
Overall status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Chroot Version Comparison Results
ALL_TESTS_PASSED: false — Python and Node.js versions differ between host and chroot environments. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Warning Firewall blocked 2 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"
- "registry.npmjs.org"See Network Configuration for more information.
|
|
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra Overall status: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🔍 Smoke Test: API Proxy OpenTelemetry Tracing
All 5 scenarios pass. OTEL tracing integration is fully functional. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Every provider adapter (
openai,anthropic,copilot) duplicated the same two-step pattern: callcreateProviderOidcAuth→ destructureresolveAuthHeaders→ callcreateProviderOidcHeaderResolver. This meant OIDC token behavior, static fallback logic, and header-injection ordering could silently drift between providers.Changes
cloud-oidc-init.js— addscreateProviderOidcHeaderStrategy(env, oidcAuthOptions, headerOptions)that wraps both steps into one call, returning all existing OIDC metadata fields plusresolveHeaders():openai.js,anthropic.js,copilot.js— each adapter's import narrows tocreateProviderOidcHeaderStrategyonly; the two-step boilerplate is replaced with the single call. Forcopilot.js, the call is placed afterauthPrefix/byokExtraHeadersare defined (as the static-header closure captures them), which was already the natural position of the oldcreateProviderOidcHeaderResolvercall.cloud-oidc-init.test.js— adds 6 tests covering: static-only path, OIDC token available, OIDC configured but token not yet ready,oidcAuthOptionsforwarding, and provider-specific decorator composition.Both
createProviderOidcAuthandcreateProviderOidcHeaderResolverremain exported for backward compatibility and direct testing.