Description
GitHubCopilotAgent in agent-framework-github-copilot does not forward the provider field to the Copilot SDK's SessionConfig, making BYOK (Bring Your Own Key) and Azure Managed Identity authentication impossible through the Agent Framework wrapper.
How we found this
We are building an app on Azure Container Apps with Managed Identity). We wanted to use GitHubCopilotAgent with our Azure OpenAI endpoint via a bearer token, following the official GitHub docs for Azure Managed Identity with Copilot SDK. The provider config passed via default_options is not forwarded to the underlying SDK session.
Root cause
In python/packages/github_copilot/agent_framework_github_copilot/_agent.py, _create_session() builds a SessionConfig and explicitly forwards model, system_message, tools, on_permission_request, mcp_servers, and streaming — but never reads or forwards provider.
The same gap exists in _resume_session().
What the Copilot SDK supports
The underlying github-copilot-sdk fully supports this. Both SessionConfig and ResumeSessionConfig have a provider: ProviderConfig field:
# copilot/types.py
class ProviderConfig(TypedDict, total=False):
type: Literal["openai", "azure", "anthropic"]
base_url: str
api_key: str
bearer_token: str # For Managed Identity / Entra ID tokens
wire_api: Literal["completions", "responses"]
azure: AzureProviderOptionsProposed fix
Add provider passthrough in _create_session() (after the mcp_servers block):
provider = opts.get("provider") or self._default_options.get("provider")
if provider:
config["provider"] = providerAnd in _resume_session():
provider = self._default_options.get("provider")
if provider:
config["provider"] = providerOptionally, add provider: ProviderConfig to GitHubCopilotOptions TypedDict for type safety.
Verified locally
We patched the installed package and confirmed it works:
from azure.identity import AzureCliCredential
from agent_framework_github_copilot import GitHubCopilotAgent
credential = AzureCliCredential()
token = credential.get_token("https://cognitiveservices.azure.com/.default")
agent = GitHubCopilotAgent(
instructions="Reply in one word.",
default_options={
"model": "gpt-5-mini",
"on_permission_request": deny_all,
"provider": {
"type": "azure",
"base_url": "https://my-resource.openai.azure.com",
"bearer_token": token.token,
},
},
)
async with agent:
result = await agent.run("What is 2 + 2?")
# ✅ Response: "Four."Environment
agent-framework-github-copilot==1.0.0b260402github-copilot-sdk==0.1.32- Python 3.13
Description
GitHubCopilotAgentinagent-framework-github-copilotdoes not forward theproviderfield to the Copilot SDK'sSessionConfig, making BYOK (Bring Your Own Key) and Azure Managed Identity authentication impossible through the Agent Framework wrapper.How we found this
We are building an app on Azure Container Apps with Managed Identity). We wanted to use
GitHubCopilotAgentwith our Azure OpenAI endpoint via a bearer token, following the official GitHub docs for Azure Managed Identity with Copilot SDK. Theproviderconfig passed viadefault_optionsis not forwarded to the underlying SDK session.Root cause
In
python/packages/github_copilot/agent_framework_github_copilot/_agent.py,_create_session()builds aSessionConfigand explicitly forwardsmodel,system_message,tools,on_permission_request,mcp_servers, andstreaming— but never reads or forwardsprovider.The same gap exists in
_resume_session().What the Copilot SDK supports
The underlying
github-copilot-sdkfully supports this. BothSessionConfigandResumeSessionConfighave aprovider: ProviderConfigfield:Proposed fix
Add provider passthrough in
_create_session()(after themcp_serversblock):And in
_resume_session():Optionally, add
provider: ProviderConfigtoGitHubCopilotOptionsTypedDict for type safety.Verified locally
We patched the installed package and confirmed it works:
Environment
agent-framework-github-copilot==1.0.0b260402github-copilot-sdk==0.1.32