Refactor provider OIDC auth-header plumbing into a shared resolver#5994
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request refactors the api-proxy provider adapters’ OIDC-vs-static auth-header selection into a shared resolver to reduce duplication and prevent drift in security-critical, fail-closed credential logic.
Changes:
- Added a shared
createProviderOidcHeaderResolver(...)helper to encapsulate OIDC header resolution, fail-closed{}behavior, and static fallback. - Refactored OpenAI, Anthropic, and Copilot adapters to use the shared resolver (intended to be behavior-preserving).
- Extended unit tests in
cloud-oidc-init.test.jsto cover the new resolver’s key behaviors.
Show a summary per file
| File | Description |
|---|---|
| containers/api-proxy/providers/cloud-oidc-init.js | Adds shared header resolver helper and exports it for provider adapters. |
| containers/api-proxy/providers/openai.js | Switches OpenAI adapter auth-header resolution to the shared resolver. |
| containers/api-proxy/providers/anthropic.js | Dedupes Anthropic auth-header wiring via shared resolver across validation/models/inference paths. |
| containers/api-proxy/providers/copilot.js | Centralizes inference auth-header resolution via shared resolver while keeping /models special-casing intact. |
| containers/api-proxy/providers/cloud-oidc-init.test.js | Adds focused unit tests for the shared header resolver behavior. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 5/5 changed files
- Comments generated: 0
- Review effort level: Low
|
✅ Copilot review passed with no inline comments. @copilot Add the |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
|
✅ Build Test Suite completed successfully! |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
✅ Security Guard completed successfully! Security analysis of PR #5994 complete. No security issues detected. The PR refactors OIDC auth-header resolution in the API proxy by centralizing repeated logic into a shared resolver function. All behavior is preserved, fail-closed semantics are maintained, and new test coverage is added. This is a safe refactoring with no security-weakening changes to firewall rules, capabilities, ACLs, credentials handling, or domain allowlists. |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
✅ Smoke Claude passed |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
🔌 Smoke Services — All services reachable! ✅ |
|
✅ Contribution Check completed successfully! PR #5994 follows the applicable CONTRIBUTING.md guidelines: clear description, focused files under containers/, tests included for the shared resolver, and no documentation update appears required for this refactor. |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
❌ Smoke Copilot BYOK AOAI (api-key) reports failed. AOAI BYOK (api-key) mode investigation needed... |
|
| Metric | Base | PR | Delta |
|---|---|---|---|
| Lines | 99.00% | 99.00% | ➡️ +0.00% |
| Statements | 98.95% | 98.95% | ➡️ +0.00% |
| Functions | 99.72% | 99.72% | ➡️ +0.00% |
| Branches | 95.44% | 95.41% | 📉 -0.03% |
Coverage comparison generated by scripts/ci/compare-coverage.ts
Smoke Test: Claude Engine Validation
Overall Result: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Copilot Engine ✅ PASS
Overall: PASS — Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Copilot BYOK (Direct) Mode
Status: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: Services Connectivity
Overall: FAIL — Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
|
Gemini Engine Smoke Test Results:
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
🔥 Smoke Test: PAT Auth — PASS
Overall: PASS — Auth mode: PAT (COPILOT_GITHUB_TOKEN) | cc Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test: API Proxy OpenTelemetry Tracing
All scenarios pass. OTEL tracing integration is functional with graceful degradation when no collector is configured. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Chroot Version Comparison
Go versions match. Python and Node.js versions differ between host and chroot environments. Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS Test DetailsBun: elysia (1 test via Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
OpenAI, Anthropic, and Copilot adapters each reimplemented the same OIDC-vs-static auth-header selection flow (including fail-closed behavior while OIDC tokens are not ready). This change centralizes that credential-resolution path to reduce drift in security-critical logic.
Shared OIDC header resolver
createProviderOidcHeaderResolver(...)incontainers/api-proxy/providers/cloud-oidc-init.js.{}when OIDC is configured but token is unavailableAdapter refactors (no behavior change intended)
providers/openai.js): replaced inlineresolveAuthHeaders(...)usage with shared resolver.providers/anthropic.js): deduped request/validation/models-fetch auth-header wiring through shared resolver.providers/copilot.js): moved inference auth-header resolution to shared resolver while preserving/modelsspecial-case behavior and prefix rules.Focused test coverage
providers/cloud-oidc-init.test.jswith unit tests for the new resolver: