You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Copilot BYOK mode requires static credentials via COPILOT_PROVIDER_API_KEY or COPILOT_PROVIDER_BEARER_TOKEN sourced from ${{ secrets.* }}. This doesn't work with Azure OpenAI deployments that have API key authentication disabled (Entra-only), which is a security best practice recommended by Microsoft.
The MCP Gateway already supports OIDC authentication via auth: { type: github-oidc } (PR gh-aw-mcpg#2878, issues #23566, #25224, #25646). The same capability is needed for the BYOK model provider (api-proxy sidecar).
This fails for Entra-only Azure OpenAI deployments because there is no static API key to store — authentication requires short-lived Azure AD tokens acquired via OIDC federation.
Proposed Solution
Add OIDC authentication support to the BYOK api-proxy, similar to what the MCP Gateway already implements:
Mint a GitHub OIDC token with the specified audience
Exchange it for an Azure AD token via workload identity federation
Use the resulting bearer token for upstream requests to the provider
Refresh automatically before expiry
Why This Matters
Azure OpenAI's security guidance recommends disabling API keys and using Entra-only auth
Organizations with compliance requirements often mandate no long-lived secrets
The OIDC plumbing already exists in gh-aw (MCP Gateway) — this extends it to the model provider
Enables BYOK with Azure OpenAI without compromising on zero-secret security posture
Workaround Attempted
We tried using copilot-setup-steps.yml to mint an OIDC token and export COPILOT_PROVIDER_BEARER_TOKEN via GITHUB_ENV, but that file is a Copilot coding agent feature and is not executed by gh-aw. The on.steps: frontmatter runs in pre_activation which lacks id-token: write permission.
Environment
gh-aw with Copilot engine, BYOK mode
Azure OpenAI with API keys disabled (Entra-only)
Federated credential configured for the repository's OIDC identity
Problem
The Copilot BYOK mode requires static credentials via
COPILOT_PROVIDER_API_KEYorCOPILOT_PROVIDER_BEARER_TOKENsourced from${{ secrets.* }}. This doesn't work with Azure OpenAI deployments that have API key authentication disabled (Entra-only), which is a security best practice recommended by Microsoft.The MCP Gateway already supports OIDC authentication via
auth: { type: github-oidc }(PR gh-aw-mcpg#2878, issues #23566, #25224, #25646). The same capability is needed for the BYOK model provider (api-proxy sidecar).Current Behavior
yaml engine: env: COPILOT_PROVIDER_BASE_URL: https://my-resource.openai.azure.com COPILOT_PROVIDER_TYPE: azure COPILOT_MODEL: gpt-4.1 COPILOT_PROVIDER_API_KEY: ${{ secrets.AZURE_OPENAI_KEY }} # requires a static keyThis fails for Entra-only Azure OpenAI deployments because there is no static API key to store — authentication requires short-lived Azure AD tokens acquired via OIDC federation.
Proposed Solution
Add OIDC authentication support to the BYOK api-proxy, similar to what the MCP Gateway already implements:
`yaml
permissions:
id-token: write
engine:
env:
COPILOT_PROVIDER_BASE_URL: https://my-resource.openai.azure.com
COPILOT_PROVIDER_TYPE: azure
COPILOT_MODEL: gpt-4.1
auth:
type: github-oidc
audience: https://cognitiveservices.azure.com
`
The api-proxy would:
ACTIONS_ID_TOKEN_REQUEST_URL/ACTIONS_ID_TOKEN_REQUEST_TOKEN(already forwarded to containers per MCP Gateway container missingACTIONS_ID_TOKEN_REQUEST_URL/ACTIONS_ID_TOKEN_REQUEST_TOKENenv vars #25224/Compiler does not forward OIDC env vars to MCP Gatewaydocker runcommand #25646)Why This Matters
Workaround Attempted
We tried using
copilot-setup-steps.ymlto mint an OIDC token and exportCOPILOT_PROVIDER_BEARER_TOKENviaGITHUB_ENV, but that file is a Copilot coding agent feature and is not executed by gh-aw. Theon.steps:frontmatter runs in pre_activation which lacksid-token: writepermission.Environment