Fix Azure OpenAI authentication failure behind a TLS-inspecting proxy#6553
Fix Azure OpenAI authentication failure behind a TLS-inspecting proxy#6553subhashpolisetti wants to merge 1 commit into
Conversation
b736db1 to
d250028
Compare
|
Could you please add an integration test that demonstrates the issue (broken without the fix, passing with the fix)? |
|
I looked into this and couldn't find a way to write a self-contained test that fails without the fix, because the failure is environmental. The old code used AuthenticationUtil.getBearerTokenSupplier(credential, scope). Its supplier does a sendSync(GET https://www.example.com) on every call, just to read back the Authorization header. The URL is hardcoded and there's no way to inject an HttpClient, so on a normal network (including CI) it succeeds. I checked, and the existing tests actually pass against both the old and new code. It only breaks behind a TLS-inspecting proxy that fails the example.com handshake (the PKIX error from the issue), which I can't reproduce deterministically in CI. The unit tests I added cover the new behavior: token resolved via getTokenSync with the cognitiveservices.azure.com/.default scope, cached across calls, no example.com round-trip. The only way I found to force a failure is overriding the default Azure HttpClient via ServiceLoader, but that's JVM-wide and would affect the other tests in the module. Happy to add it if you're fine with that, or take a different approach if you have one in mind. |
d250028 to
7965e96
Compare
Azure OpenAI authentication acquired its bearer token through AuthenticationUtil.getBearerTokenSupplier, which issues a live HTTPS request to https://www.example.com on every call purely to read the Authorization header back off the request. That extra hop is unnecessary and fails in environments where the connection is not permitted, such as behind a TLS-inspecting proxy requiring custom certificates. Acquire the token from the credential directly, caching it in a small synchronous supplier that refreshes shortly before expiry. This drops the example.com request while preserving the token caching the removed pipeline provided, and keeps token acquisition off the reactive path. Closes spring-projects#6549 Signed-off-by: subhash polisetti <subhashr161347@gmail.com>
7965e96 to
ee4e111
Compare
|
Ok thanks for the additional context, I will have a deeper look during the review. |
Azure OpenAI token authentication (Azure CLI or managed identity, rather than an
API key) currently builds its bearer-token supplier with
AuthenticationUtil.getBearerTokenSupplier(...). That supplier issues a liveHTTPS
GET https://www.example.comon every invocation, purely to run thecredential through a
BearerTokenAuthenticationPolicyand read the resultingAuthorizationheader back off the request. Theopenai-javaclient invokesthe supplier while preparing each request, so this hop happens on every call.
The example.com request is unnecessary and fails in environments where such a
connection is not permitted for example behind a TLS-inspecting proxy that
requires custom certificates, where it surfaces as
SSLHandshakeException: ... PKIX path building failed. Importing certificatesinto every application's JVM is an impractical workaround.
This reads the token directly from the credential instead. Since the
azure-identitycredentials do not cache tokens themselves — that is the SDKpipeline's role — it is wrapped in
SimpleTokenCacheto preserve the tokencaching and refresh the previous pipeline provided. No dependency is added (both
types come with the Azure SDK), the acquired token is unchanged, and it
continues to work with any
DefaultAzureCredentialchain (managed identity,workload identity, Azure CLI, etc.).
Testing
Added unit tests in
AzureInternalOpenAiHelperTests:https://cognitiveservices.azure.com/.defaultscope is requested,./mvnw -pl models/spring-ai-openai testpasses; formatting is clean.Closes #6549