Skip to content

refactor(api-proxy): collapse repeated OIDC header setup into createProviderOidcHeaderStrategy#6038

Merged
lpcox merged 2 commits into
mainfrom
copilot/fix-duplicate-oidc-header-strategy
Jul 9, 2026
Merged

refactor(api-proxy): collapse repeated OIDC header setup into createProviderOidcHeaderStrategy#6038
lpcox merged 2 commits into
mainfrom
copilot/fix-duplicate-oidc-header-strategy

Conversation

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Every provider adapter (openai, anthropic, copilot) duplicated the same two-step pattern: call createProviderOidcAuth → destructure resolveAuthHeaders → call createProviderOidcHeaderResolver. This meant OIDC token behavior, static fallback logic, and header-injection ordering could silently drift between providers.

Changes

  • cloud-oidc-init.js — adds createProviderOidcHeaderStrategy(env, oidcAuthOptions, headerOptions) that wraps both steps into one call, returning all existing OIDC metadata fields plus resolveHeaders():

    // Before (repeated in every adapter):
    const { resolveAuthHeaders, oidcConfigured, ... } = createProviderOidcAuth(env, { staticAuthToken });
    const resolver = createProviderOidcHeaderResolver({ resolveAuthHeaders, buildOidcHeaders, buildStaticHeaders });
    // ...later...
    resolver.resolveHeaders()
    
    // After:
    const { oidcConfigured, resolveHeaders, ... } = createProviderOidcHeaderStrategy(
      env,
      { staticAuthToken },
      { buildOidcHeaders, buildStaticHeaders }
    );
  • openai.js, anthropic.js, copilot.js — each adapter's import narrows to createProviderOidcHeaderStrategy only; the two-step boilerplate is replaced with the single call. For copilot.js, the call is placed after authPrefix / byokExtraHeaders are defined (as the static-header closure captures them), which was already the natural position of the old createProviderOidcHeaderResolver call.

  • cloud-oidc-init.test.js — adds 6 tests covering: static-only path, OIDC token available, OIDC configured but token not yet ready, oidcAuthOptions forwarding, and provider-specific decorator composition.

Both createProviderOidcAuth and createProviderOidcHeaderResolver remain exported for backward compatibility and direct testing.

…er setup duplication across provider adapters

Adds a `createProviderOidcHeaderStrategy(env, oidcAuthOptions, headerOptions)`
helper to `cloud-oidc-init.js` that combines the previously repeated two-step
pattern:
1. `createProviderOidcAuth(...)` → get OIDC metadata + `resolveAuthHeaders`
2. `createProviderOidcHeaderResolver(...)` → wrap into `resolveHeaders()`

All three provider adapters (openai, anthropic, copilot) now use a single call
instead of two, keeping the common credential-resolution lifecycle in one place
so OIDC token behavior, static fallback behavior, and integration headers cannot
drift across providers.

Closes #6016
Copilot AI changed the title [WIP] Refactor OIDC header strategy to reduce code duplication refactor(api-proxy): collapse repeated OIDC header setup into createProviderOidcHeaderStrategy Jul 9, 2026
Copilot finished work on behalf of lpcox July 9, 2026 02:51
Copilot AI requested a review from lpcox July 9, 2026 02:51
@lpcox lpcox marked this pull request as ready for review July 9, 2026 02:56
Copilot AI review requested due to automatic review settings July 9, 2026 02:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the api-proxy provider adapters to use a single, shared helper for OIDC-vs-static auth header resolution, reducing duplicated setup logic and the risk of behavioral drift across providers.

Changes:

  • Introduces createProviderOidcHeaderStrategy(...) to combine OIDC auth initialization and header resolution into one reusable entrypoint.
  • Updates OpenAI, Anthropic, and Copilot adapters to replace the repeated two-step OIDC header wiring with a single resolveHeaders() call from the new strategy.
  • Adds unit tests covering the new strategy’s behavior for static-only, OIDC-ready, and OIDC-not-ready (fail-closed) scenarios, plus option forwarding and decorator composition.
Show a summary per file
File Description
containers/api-proxy/providers/cloud-oidc-init.js Adds createProviderOidcHeaderStrategy to encapsulate common OIDC header setup logic.
containers/api-proxy/providers/openai.js Switches OpenAI adapter to the new strategy and uses resolveHeaders() for request auth headers.
containers/api-proxy/providers/anthropic.js Switches Anthropic adapter to the new strategy and reuses resolveHeaders() across validation/models/auth paths.
containers/api-proxy/providers/copilot.js Switches Copilot adapter to the new strategy, preserving provider-specific header decoration and prefix behavior.
containers/api-proxy/providers/cloud-oidc-init.test.js Adds test coverage validating the new strategy’s behavior and option forwarding.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/5 changed files
  • Comments generated: 0
  • Review effort level: Low

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

Smoke test completed. Connectivity: ❌ (000), PR Listing: ❌ (Tools missing), File Writing: ✅, Bash: ✅. Overall: FAIL.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Security Guard failed. Please review the logs for details.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR follows all applicable contribution guidelines based on the provided metadata, diff, and CONTRIBUTING.md.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 98.98% 98.98% ➡️ +0.00%
Statements 98.94% 98.94% ➡️ +0.00%
Functions 99.44% 99.44% ➡️ +0.00%
Branches 95.64% 95.60% 📉 -0.04%

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode - PASS

  • ✅ GitHub MCP connectivity
  • ✅ GitHub.com connectivity (HTTP 200)
  • ✅ File write/read test
  • ✅ BYOK inference path (agent → api-proxy → api.githubcopilot.com)

Running in direct BYOK mode via COPILOT_PROVIDER_API_KEY. All tests passed.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is unreachable from this runner. Service containers may not be running or host networking is not bridged.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔥 Smoke Test: Copilot PAT Auth

Test Result
GitHub.com connectivity (HTTP 200)
File write/read
MCP connectivity

Overall: PASS | Auth mode: PAT (COPILOT_GITHUB_TOKEN)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #6038 · 35.1 AIC · ⊞ 3.3K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@lpcox

GitHub MCP merged PRs: validated ✅
GitHub.com connectivity: ✅
File I/O: ✅
Direct BYOK inference: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔥 Copilot Smoke Test — PASS

Test Result
GitHub MCP ✅ Connected
GitHub.com connectivity ✅ HTTP 200
File write/read ✅ Verified

Overall: PASS @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results

  • GitHub MCP Testing: ❌ (Unable to list PRs)
  • GitHub.com Connectivity: ❌ (HTTP 000)
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Chroot Version Comparison Results

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3 ❌ NO
Node.js v24.18.0 v22.23.1 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

ALL_TESTS_PASSED: false — Python and Node.js versions differ between host and chroot environments.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor
  • fix: use tag-only image ref in rootless permission repair
  • chore: upgrade gh-aw extension to v0.82.5 pre-release
  • Playwright title check ✅
  • File write/read ✅
  • Build ✅
  • Overall: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

@lpcox

  • GitHub MCP connectivity: ✅
  • GitHub.com connectivity: ✅
  • File Write/Read Test: ✅
  • BYOK Inference Test: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx All passed ✅ PASS
Node.js execa All passed ✅ PASS
Node.js p-limit All passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #6038 · 39.1 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🔍 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Status Notes
1. Module Loading ✅ Pass otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
2. Test Suite ✅ Pass 59/59 tests pass across 2 suites (otel.test.js + split-module tests)
3. Env Var Forwarding ✅ Pass src/services/api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME to the api-proxy container
4. Token Tracker Integration ✅ Pass onUsage callback exists in token-tracker-http.js (lines 285, 343) as the OTEL hook point
5. OTEL Diagnostics ✅ Pass No OTLP endpoint configured in this run — FileSpanExporter fallback active (writes otel.jsonl); graceful degradation confirmed

All 5 scenarios pass. OTEL tracing integration is fully functional.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@lpcox lpcox merged commit a4175b6 into main Jul 9, 2026
89 of 91 checks passed
@lpcox lpcox deleted the copilot/fix-duplicate-oidc-header-strategy branch July 9, 2026 03:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Duplicate Code] OIDC header strategy still repeats across provider adapters

3 participants