Skip to content

[awf] API Proxy: BYOK Azure OpenAI routing fails with 404/401 across base URL variants #4366

Description

@lpcox

Problem

Users routing BYOK (Bring Your Own Key) Azure OpenAI requests through the AWF API proxy sidecar consistently receive HTTP 404 or HTTP 401 regardless of COPILOT_PROVIDER_BASE_URL format used — with or without COPILOT_PROVIDER_TYPE: azure.

Context

Original issue: github/gh-aw#35483

The user tested four URL formats (with/without deployment path, with/without trailing slash) and two provider configs. All combinations fail. The API proxy sidecar (containers/api-proxy/) is responsible for injecting credentials and forwarding to Squid.

Root Cause

The Azure OpenAI API requires the full deployment path in the URL (/openai/deployments/{deployment}/chat/completions?api-version=...). The AWF API proxy likely strips, rewrites, or misroutes these path segments when constructing the upstream request, causing 404. The 401 responses suggest the api-key header is not being injected correctly for Azure-type providers (which use api-key header, not Authorization: Bearer).

Proposed Solution

  1. In containers/api-proxy/, detect COPILOT_PROVIDER_TYPE=azure and switch credential injection from Authorization: Bearer to the api-key header.
  2. Preserve the full request path and query string when proxying to Azure endpoints.
  3. Add an integration test covering BYOK Azure routing through the proxy sidecar.

Generated by Firewall Issue Dispatcher · sonnet46 2.1M ·

Metadata

Metadata

Assignees

No one assigned

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions