Problem

The api-proxy sidecar only supports static API keys (COPILOT_PROVIDER_API_KEY). Azure OpenAI deployments with Entra-only authentication (API keys disabled) cannot use BYOK mode, as there is no static key to store.

Context

Original issue: github/gh-aw#30260

Root Cause

The api-proxy (containers/api-proxy/) has no mechanism to acquire short-lived tokens via OIDC federation. It only injects static keys stored as secrets. The MCP Gateway already supports auth: { type: github-oidc } (via ACTIONS_ID_TOKEN_REQUEST_URL / ACTIONS_ID_TOKEN_REQUEST_TOKEN), but this plumbing is not wired into the api-proxy.

Proposed Solution

Add engine.auth block support to the api-proxy:

1. Parse AWF_AUTH_TYPE / AWF_AUTH_AUDIENCE env vars in the api-proxy container startup.
2. When type: github-oidc, use ACTIONS_ID_TOKEN_REQUEST_URL + ACTIONS_ID_TOKEN_REQUEST_TOKEN (already forwarded to containers) to mint a GitHub OIDC token.
3. For Azure: exchange the OIDC token for an Azure AD bearer token via workload identity federation endpoint.
4. Inject the resulting bearer token as Authorization: Bearer <token> on upstream requests.
5. Implement proactive token refresh before expiry (Azure tokens last ~1 hour).

Reference the existing MCP Gateway OIDC implementation in gh-aw-mcpg as the pattern to follow.

Generated by Firewall Issue Dispatcher · ● 514.2K · ◷