Refactor: extract createProviderOidcAuth to unify OIDC setup across provider adapters#5206
Conversation
…ication Closes #5196 Three provider adapters (openai.js, copilot.js, anthropic.js) repeated the same three-step OIDC credential-resolution pattern: 1. resolveCloudOidcProviders (or hand-rolled equivalent) 2. createOidcRuntimeAdapterMethods 3. resolveOidcAuthHeaders + static fallback in getAuthHeaders() This commit extracts that pattern into createProviderOidcAuth() in providers/cloud-oidc-init.js, which bundles all three steps and also exposes validationSkip(), skipModelsFetch(), and resolveAuthHeaders() defaults. - openai.js and copilot.js: replace two-step resolveCloudOidcProviders + createOidcRuntimeAdapterMethods with a single createProviderOidcAuth() call - openai.js getAuthHeaders(): simplified using resolveAuthHeaders() - anthropic.js: replace hand-rolled OIDC setup with createProviderOidcAuth() + oidcProviderFactory; replace manual isEnabled()/getOidcProvider() with spread runtimeMethods; replace hand-rolled auth header logic with resolveOidcAuthHeaders() - cloud-oidc-init.test.js: 9 new tests for createProviderOidcAuth()
createProviderOidcAuth to unify OIDC setup across provider adapters
✅ Coverage Check PassedOverall Coverage
📁 Per-file Coverage Changes (1 files)
Coverage comparison generated by |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR refactors the API proxy provider adapters (OpenAI, Copilot, Anthropic) to share a unified cloud OIDC initialization/auth-header resolution flow by introducing a new helper, createProviderOidcAuth, in cloud-oidc-init.js. The goal is to eliminate duplicated OIDC lifecycle code across adapters and standardize behaviors like validation/model-fetch skipping and auth header selection.
Changes:
- Added
createProviderOidcAuth(env, options)helper to bundle provider resolution, runtime adapter methods, and auth-header resolution. - Updated
openai.js,copilot.js, andanthropic.jsto use the helper (Anthropic via a customoidcProviderFactory). - Added Jest coverage for the new helper in
cloud-oidc-init.test.js.
Show a summary per file
| File | Description |
|---|---|
| containers/api-proxy/providers/cloud-oidc-init.js | Introduces createProviderOidcAuth helper that centralizes OIDC setup + header resolution. |
| containers/api-proxy/providers/openai.js | Switches OpenAI adapter OIDC setup/auth headers to use createProviderOidcAuth. |
| containers/api-proxy/providers/copilot.js | Switches Copilot adapter OIDC setup to use createProviderOidcAuth while keeping custom header branching. |
| containers/api-proxy/providers/anthropic.js | Replaces Anthropic’s bespoke OIDC init with createProviderOidcAuth + factory and standard header resolution. |
| containers/api-proxy/providers/cloud-oidc-init.test.js | Adds focused tests for createProviderOidcAuth behavior across configured/unconfigured/factory paths. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 5/5 changed files
- Comments generated: 3
| * @param {((env: Record<string, string|undefined>) => any)|null} [options.oidcProviderFactory] | ||
| * Optional factory for providers that use a custom OIDC token class (e.g. | ||
| * Anthropic). When provided, takes precedence over `resolveCloudOidcProviders`. | ||
| * The factory receives `env` and should return a provider instance or | ||
| * `null`/`undefined` when not configured. |
|
@copilot address review feedback |
|
✅ Copilot review passed with no inline comments. @copilot Add the |
Addressed in
|
|
❌ Smoke Claude failed No user request was provided in this turn — only system reminders listing available skills and project context were received. No action taken. |
|
✅ Contribution Check completed successfully! |
|
🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅ |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
✅ Build Test Suite completed successfully! |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✅ Smoke Gemini completed. All facets verified. 💎 |
|
✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓 |
|
✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓 |
|
✅ Build Test Suite completed successfully! |
|
📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅ |
|
✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✅ Smoke Gemini completed. All facets verified. 💎 Smoke test completed with partial success. Connectivity and MCP failed. |
|
❌ Smoke Claude failed Smoke test complete - Claude agent initialized successfully with access to project context (gh-aw-firewall / awf CLI) and all expected skills/tools. No task was specified in the prompt, so no action was taken. |
|
Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded. |
|
🔌 Smoke Services — All services reachable! ✅ |
🔬 Smoke Test: Copilot PAT — PASS
Overall: PASS | Auth mode: PAT (COPILOT_GITHUB_TOKEN) cc
|
|
Running in direct BYOK mode via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
|
|
Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra
|
🤖 Smoke Test Results — PASS
PR: Refactor: extract Overall: ✅ PASS
|
|
Reviewed merged PRs:
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
Smoke Test: API Proxy OpenTelemetry Tracing
All 5 scenarios pass. OTEL integration is functioning correctly.
|
Smoke Test: Gemini Engine Validation. Results: MCP: ❌, Connectivity: ❌, File: ✅, Bash: ✅. Status: FAILWarning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
Chroot Version Comparison Results
Overall: ❌ FAILED — Python and Node.js versions differ between host and chroot environments.
|
Smoke Test: GitHub Actions Services Connectivity
Overall: FAIL —
|
Smoke Test: Copilot BYOK (Direct) Mode ✅ PASS
Mode: Direct BYOK (COPILOT_DUMMY_BYOK) via api-proxy sidecar → api.githubcopilot.com
|
All three API proxy provider adapters repeated the same OIDC credential-resolution lifecycle — provider resolution, runtime method creation, and auth-header branching — with Anthropic using a hand-rolled variant that could diverge silently from the others.
New helper:
createProviderOidcAuth(env, options)Added to
providers/cloud-oidc-init.js. Bundles the previously scattered three-step pattern into a single call returning:authProvider,oidcProvider,awsOidcProvider,oidcConfiguredruntimeMethods— spread directly into the adapter return objectvalidationSkip(),skipModelsFetch()— standard defaultsresolveAuthHeaders(buildOidcHeaders, staticHeaders)— OIDC-or-fallback closure (no need to thread providers through)Accepts an optional
oidcProviderFactory(env)for adapters that use a custom token class:Per-adapter changes
openai.js: replaces the 2-step setup;getAuthHeaders()usesresolveAuthHeaders();validationSkip/skipModelsFetchconsumed directly from bundlecopilot.js: replaces the 2-step setup;getAuthHeaders()retains directresolveOidcAuthHeaderscall (complex multi-path static fallback)anthropic.js: hand-rolled OIDC init replaced withcreateProviderOidcAuth+oidcProviderFactory; manualisEnabled()/getOidcProvider()replaced by spreadingruntimeMethods; hand-rolled auth-header branch replaced withresolveOidcAuthHeadersTests
9 new tests for
createProviderOidcAuthincloud-oidc-init.test.jscovering: no-OIDC bundle, static-token enablement, Azure provider creation,skipWhen,resolveAuthHeaders(token ready / not ready / unconfigured), custom factory, and factory returning null.