github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

feat: Allow authenticating to AzureOpenAI using DefaultAzureCredential() #6096

New Issue
Closed
opened 2025-11-11 16:44:49 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-11 16:44:49 -06:00
Owner
Copy Link

Originally created by @selenecodes on GitHub (Aug 14, 2025).

Check Existing Issues

  • I have searched the existing issues and discussions.

Problem Description

Currently when using AzureOpenAI you are required to pass an API key.

Current location where Azure authentication happens (to my knowledge):

438e5d966f/backend/open_webui/routers/openai.py (L856-L859)

Desired Solution you'd like

Being able to authenticate using a DefaultAzureCredential() as an option would be preferred so that you have to worry less about API key rotation as you would get short-lived access tokens on every request. Would also save the hassle of having to rotate your keys.

Alternatives Considered

No response

Additional Context

Relevant example from the openai_python library.
See: openai-python/src/openai/lib/azure.py for full code.

    def _get_azure_ad_token(self) -> str | None:
        if self._azure_ad_token is not None:
            return self._azure_ad_token


        provider = self._azure_ad_token_provider
        if provider is not None:
            token = provider()
            if not token or not isinstance(token, str):  # pyright: ignore[reportUnnecessaryIsInstance]
                raise ValueError(
                    f"Expected `azure_ad_token_provider` argument to return a string but it returned {token}",
                )
            return token


        return None

The self._azure_ad_token_provider would be get_bearer_token_provider, see below:

from azure.identity import DefaultAzureCredential, get_bearer_token_provider

scopes = "https://cognitiveservices.azure.com/.default"
get_bearer_token_provider(DefaultAzureCredential(), scopes)

This provider would be called on every request like this.
See: openai-python/src/openai/lib/azure.py for full code.

        azure_ad_token = self._get_azure_ad_token()
        if azure_ad_token is not None:
            if headers.get("Authorization") is None:
                headers["Authorization"] = f"Bearer {azure_ad_token}"
Originally created by @selenecodes on GitHub (Aug 14, 2025). ### Check Existing Issues - [x] I have searched the existing issues and discussions. ### Problem Description Currently when using AzureOpenAI you are required to pass an API key. Current location where Azure authentication happens (to my knowledge): https://github.com/open-webui/open-webui/blob/438e5d966f0f64f9ea3feab22724a5bd96a4127b/backend/open_webui/routers/openai.py#L856-L859 ### Desired Solution you'd like Being able to authenticate using a `DefaultAzureCredential()` as an option would be preferred so that you have to worry less about API key rotation as you would get short-lived access tokens on every request. Would also save the hassle of having to rotate your keys. ### Alternatives Considered _No response_ ### Additional Context Relevant example from the openai_python library. _See: [openai-python/src/openai/lib/azure.py](https://github.com/openai/openai-python/blob/34014aedbb8946c03e97e5c8d72e03ad2259cd7c/src/openai/lib/azure.py#L306-L319) for full code._ ```python def _get_azure_ad_token(self) -> str | None: if self._azure_ad_token is not None: return self._azure_ad_token provider = self._azure_ad_token_provider if provider is not None: token = provider() if not token or not isinstance(token, str): # pyright: ignore[reportUnnecessaryIsInstance] raise ValueError( f"Expected `azure_ad_token_provider` argument to return a string but it returned {token}", ) return token return None ``` The `self._azure_ad_token_provider` would be `get_bearer_token_provider`, see below: ```python from azure.identity import DefaultAzureCredential, get_bearer_token_provider scopes = "https://cognitiveservices.azure.com/.default" get_bearer_token_provider(DefaultAzureCredential(), scopes) ``` This provider would be called on every request like this. _See: [openai-python/src/openai/lib/azure.py](https://github.com/openai/openai-python/blob/34014aedbb8946c03e97e5c8d72e03ad2259cd7c/src/openai/lib/azure.py#L328-L331) for full code._ ```python azure_ad_token = self._get_azure_ad_token() if azure_ad_token is not None: if headers.get("Authorization") is None: headers["Authorization"] = f"Bearer {azure_ad_token}" ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#6096
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?