Skip to content

Refactor provider OIDC auth-header plumbing into a shared resolver#5994

Merged
lpcox merged 2 commits into
mainfrom
copilot/fix-duplicate-oidc-auth-header
Jul 8, 2026
Merged

Refactor provider OIDC auth-header plumbing into a shared resolver#5994
lpcox merged 2 commits into
mainfrom
copilot/fix-duplicate-oidc-auth-header

Conversation

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

OpenAI, Anthropic, and Copilot adapters each reimplemented the same OIDC-vs-static auth-header selection flow (including fail-closed behavior while OIDC tokens are not ready). This change centralizes that credential-resolution path to reduce drift in security-critical logic.

  • Shared OIDC header resolver

    • Added createProviderOidcHeaderResolver(...) in containers/api-proxy/providers/cloud-oidc-init.js.
    • Encapsulates:
      • OIDC header construction when token exists
      • fail-closed {} when OIDC is configured but token is unavailable
      • static-header fallback when OIDC is not configured
  • Adapter refactors (no behavior change intended)

    • OpenAI (providers/openai.js): replaced inline resolveAuthHeaders(...) usage with shared resolver.
    • Anthropic (providers/anthropic.js): deduped request/validation/models-fetch auth-header wiring through shared resolver.
    • Copilot (providers/copilot.js): moved inference auth-header resolution to shared resolver while preserving /models special-case behavior and prefix rules.
  • Focused test coverage

    • Extended providers/cloud-oidc-init.test.js with unit tests for the new resolver:
      • OIDC token available → OIDC headers
      • OIDC unavailable but configured → empty headers
      • OIDC not configured → static headers
const oidcHeaderResolver = createProviderOidcHeaderResolver({
  resolveAuthHeaders,
  buildOidcHeaders: (token) => bearerAuthHeaders(token),
  buildStaticHeaders: () => providerKeyHeaders(authHeaderName, apiKey),
});

const headers = oidcHeaderResolver.resolveHeaders();

Copilot AI changed the title [WIP] Refactor OIDC auth header plumbing to remove duplicates Refactor provider OIDC auth-header plumbing into a shared resolver Jul 7, 2026
Copilot finished work on behalf of lpcox July 7, 2026 22:28
Copilot AI requested a review from lpcox July 7, 2026 22:28
@lpcox lpcox marked this pull request as ready for review July 7, 2026 22:42
@lpcox lpcox requested a review from Copilot July 7, 2026 22:42

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request refactors the api-proxy provider adapters’ OIDC-vs-static auth-header selection into a shared resolver to reduce duplication and prevent drift in security-critical, fail-closed credential logic.

Changes:

  • Added a shared createProviderOidcHeaderResolver(...) helper to encapsulate OIDC header resolution, fail-closed {} behavior, and static fallback.
  • Refactored OpenAI, Anthropic, and Copilot adapters to use the shared resolver (intended to be behavior-preserving).
  • Extended unit tests in cloud-oidc-init.test.js to cover the new resolver’s key behaviors.
Show a summary per file
File Description
containers/api-proxy/providers/cloud-oidc-init.js Adds shared header resolver helper and exports it for provider adapters.
containers/api-proxy/providers/openai.js Switches OpenAI adapter auth-header resolution to the shared resolver.
containers/api-proxy/providers/anthropic.js Dedupes Anthropic auth-header wiring via shared resolver across validation/models/inference paths.
containers/api-proxy/providers/copilot.js Centralizes inference auth-header resolution via shared resolver while keeping /models special-casing intact.
containers/api-proxy/providers/cloud-oidc-init.test.js Adds focused unit tests for the shared header resolver behavior.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 5/5 changed files
  • Comments generated: 0
  • Review effort level: Low

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Security Guard completed successfully!

Security analysis of PR #5994 complete. No security issues detected. The PR refactors OIDC auth-header resolution in the API proxy by centralizing repeated logic into a shared resolver function. All behavior is preserved, fail-closed semantics are maintained, and new test coverage is added. This is a safe refactoring with no security-weakening changes to firewall rules, capabilities, ACLs, credentials handling, or domain allowlists.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Contribution Check completed successfully!

PR #5994 follows the applicable CONTRIBUTING.md guidelines: clear description, focused files under containers/, tests included for the shared resolver, and no documentation update appears required for this refactor.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) reports failed. AOAI BYOK (api-key) mode investigation needed...

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 99.00% 99.00% ➡️ +0.00%
Statements 98.95% 98.95% ➡️ +0.00%
Functions 99.72% 99.72% ➡️ +0.00%
Branches 95.44% 95.41% 📉 -0.03%

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Check Result
API Status ✅ PASS
GH Check ✅ PASS
File Status ✅ PASS

Overall Result: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #5994 · 35.1 AIC · ⊞ 5.8K ·
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot Engine ✅ PASS

Test Result
MCP Connectivity
GitHub.com HTTP ✅ 200
File Write/Read

Overall: PASS@lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@lpcox
✅ GitHub MCP PR data validated
✅ GitHub.com connectivity (HTTP 200)
✅ File write/read test
✅ BYOK inference via Azure Entra (Foundry, o4-mini-aw)
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode

Test Result
MCP Connectivity
GitHub.com Access
File Write/Read
BYOK Inference

Status: PASS
Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) via api-proxy → api.githubcopilot.com
Run: #28907978288

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis PING: ❌ Network is unreachable
  • PostgreSQL pg_isready: ❌ No response
  • PostgreSQL SELECT 1: ❌ Network is unreachable

Overall: FAILhost.docker.internal (172.17.0.1) is unreachable from this runner. Service containers are not accessible.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Gemini Engine Smoke Test Results:

  • GitHub MCP Testing: ✅ (PRs: 'feat: add build-tools...', 'fix: add diagnostic...')
  • GitHub.com Connectivity: ✅
  • File Writing Testing: ✅
  • Bash Tool Testing: ✅
    Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🔥 Smoke Test: PAT Auth — PASS

Test Result
GitHub MCP connectivity
GitHub.com HTTP ✅ 200
File write/read

Overall: PASS — Auth mode: PAT (COPILOT_GITHUB_TOKEN) | cc @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Notes
Module Loading Pass otel.js loads; exports startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + internal helpers
Test Suite Pass 59 tests pass (39 in otel.test.js, 20 in otel-fanout.test.js)
Env Var Forwarding Pass api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
Token Tracker Integration Pass onUsage callback in token-tracker-http.js (line 283, invoked line 326) + onSpanEnd hook present
OTEL Diagnostics Pass (graceful degradation) No OTLP endpoint configured; FileSpanExporter fallback active, no errors

All scenarios pass. OTEL tracing integration is functional with graceful degradation when no collector is configured.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Chroot Version Comparison

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3
Node.js v24.18.0 v22.23.1
Go go1.22.12 go1.22.12

Go versions match. Python and Node.js versions differ between host and chroot environments.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions github-actions Bot mentioned this pull request Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color 1/1 passed ✅ PASS
Go env 1/1 passed ✅ PASS
Go uuid 1/1 passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx passed ✅ PASS
Node.js execa passed ✅ PASS
Node.js p-limit passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Test Details

Bun: elysia (1 test via bun test), hono (1 test via bun test)
C++: fmt and json (CMake + make build succeeded)
Deno: oak (1 test, deps downloaded from deno.land), std (1 test)
.NET: hello-world (Hello, World! output), json-parse (JSON parsed and printed successfully)
Go: color, env, uuid (all go test ./... passed)
Java: gson (1 test via Maven), caffeine (1 test via Maven) — Note: required writable Maven local repo at /tmp/gh-aw/agent/.m2/repository since default ~/.m2 was root-owned
Node.js: clsx, execa, p-limit (all All tests passed!)
Rust: fd (1 test), zoxide (1 test)

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #5994 · 112.7 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

@lpcox lpcox merged commit 4c63025 into main Jul 8, 2026
85 of 90 checks passed
@lpcox lpcox deleted the copilot/fix-duplicate-oidc-auth-header branch July 8, 2026 01:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Duplicate Code] OIDC auth-header plumbing still repeats across provider adapters

3 participants