feat(azure): forward credential_scopes to Azure AI Inference client#5661
Merged
feat(azure): forward credential_scopes to Azure AI Inference client#5661
Conversation
Adds a credential_scopes field to the native Azure AI Inference provider and a matching AZURE_CREDENTIAL_SCOPES env var (comma-separated). The value is forwarded to ChatCompletionsClient / AsyncChatCompletionsClient when set, letting keyless / Entra-based callers target a specific Azure AD audience (e.g. https://cognitiveservices.azure.com/.default) without subclassing the provider. Matches the upstream azure.ai.inference SDK kwarg of the same name. Lazy build re-reads the env var so an LLM constructed at module import (before deployment env vars are set) still picks up scopes — same pattern as the existing AZURE_API_KEY / AZURE_ENDPOINT lazy reads. to_config_dict round-trips the field.
Address review feedback: - Move os.getenv into the helper so AZURE_CREDENTIAL_SCOPES appears once - Match the surrounding api_key/endpoint `or` style in the validator - Drop the list() defensive copy in to_config_dict — every other field in that method (and the base class's `stop`) is assigned by reference
gabemilani
approved these changes
Apr 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
credential_scopesfield to the native Azure AI Inference provider plus a matchingAZURE_CREDENTIAL_SCOPESenv var (comma-separated). The value is forwarded toChatCompletionsClient/AsyncChatCompletionsClientwhen set, letting keyless / Entra-based callers target a specific Azure AD audience (e.g.https://cognitiveservices.azure.com/.default) without subclassing the provider. Matches the upstreamazure.ai.inferenceSDK kwarg of the same name.Key Changes
credential_scopes: list[str] | Nonefield onAzureCompletion_normalize_azure_fieldsreadsAZURE_CREDENTIAL_SCOPES(comma-separated) when not provided explicitly_make_client_kwargsre-reads the env on lazy build (matching the existingAZURE_API_KEY/AZURE_ENDPOINTlazy pattern) and forwardscredential_scopesto the SDK only when setto_config_dictround-trips the fieldto_config_dictround-trip; full Azure module: 68 passed, 0 failedNote
Medium Risk
Touches Azure authentication/client initialization by altering token audience configuration, which can affect connectivity for keyless Entra flows. Changes are gated (only applied when scopes are provided) and covered by targeted tests.
Overview
Adds a new optional
credential_scopesfield toAzureCompletion, populated from either a constructor arg or the comma-separatedAZURE_CREDENTIAL_SCOPESenv var.Updates lazy client construction to re-read scopes at build time and only forward
credential_scopesinto the Azure AI Inference client kwargs when set;to_config_dictnow round-trips the value. Includes new unit tests covering explicit vs default behavior, env parsing/precedence, lazy env reads, and config serialization.Reviewed by Cursor Bugbot for commit 68a64e9. Bugbot is set up for automated code reviews on this repo. Configure here.