Problem
Users routing BYOK (Bring Your Own Key) Azure OpenAI requests through the AWF API proxy sidecar consistently receive HTTP 404 or HTTP 401 regardless of COPILOT_PROVIDER_BASE_URL format used — with or without COPILOT_PROVIDER_TYPE: azure.
Context
Original issue: github/gh-aw#35483
The user tested four URL formats (with/without deployment path, with/without trailing slash) and two provider configs. All combinations fail. The API proxy sidecar (containers/api-proxy/) is responsible for injecting credentials and forwarding to Squid.
Root Cause
The Azure OpenAI API requires the full deployment path in the URL (/openai/deployments/{deployment}/chat/completions?api-version=...). The AWF API proxy likely strips, rewrites, or misroutes these path segments when constructing the upstream request, causing 404. The 401 responses suggest the api-key header is not being injected correctly for Azure-type providers (which use api-key header, not Authorization: Bearer).
Proposed Solution
- In
containers/api-proxy/, detect COPILOT_PROVIDER_TYPE=azure and switch credential injection from Authorization: Bearer to the api-key header.
- Preserve the full request path and query string when proxying to Azure endpoints.
- Add an integration test covering BYOK Azure routing through the proxy sidecar.
Generated by Firewall Issue Dispatcher · sonnet46 2.1M · ◷
Problem
Users routing BYOK (Bring Your Own Key) Azure OpenAI requests through the AWF API proxy sidecar consistently receive HTTP 404 or HTTP 401 regardless of
COPILOT_PROVIDER_BASE_URLformat used — with or withoutCOPILOT_PROVIDER_TYPE: azure.Context
Original issue: github/gh-aw#35483
The user tested four URL formats (with/without deployment path, with/without trailing slash) and two provider configs. All combinations fail. The API proxy sidecar (
containers/api-proxy/) is responsible for injecting credentials and forwarding to Squid.Root Cause
The Azure OpenAI API requires the full deployment path in the URL (
/openai/deployments/{deployment}/chat/completions?api-version=...). The AWF API proxy likely strips, rewrites, or misroutes these path segments when constructing the upstream request, causing 404. The 401 responses suggest theapi-keyheader is not being injected correctly for Azure-type providers (which useapi-keyheader, notAuthorization: Bearer).Proposed Solution
containers/api-proxy/, detectCOPILOT_PROVIDER_TYPE=azureand switch credential injection fromAuthorization: Bearerto theapi-keyheader.