Skip to content

Fix Azure OpenAI authentication failure behind a TLS-inspecting proxy#6553

Open
subhashpolisetti wants to merge 1 commit into
spring-projects:mainfrom
subhashpolisetti:azure-openai-auth-example-com
Open

Fix Azure OpenAI authentication failure behind a TLS-inspecting proxy#6553
subhashpolisetti wants to merge 1 commit into
spring-projects:mainfrom
subhashpolisetti:azure-openai-auth-example-com

Conversation

@subhashpolisetti

@subhashpolisetti subhashpolisetti commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Azure OpenAI token authentication (Azure CLI or managed identity, rather than an
API key) currently builds its bearer-token supplier with
AuthenticationUtil.getBearerTokenSupplier(...). That supplier issues a live
HTTPS GET https://www.example.com on every invocation, purely to run the
credential through a BearerTokenAuthenticationPolicy and read the resulting
Authorization header back off the request. The openai-java client invokes
the supplier while preparing each request, so this hop happens on every call.

The example.com request is unnecessary and fails in environments where such a
connection is not permitted for example behind a TLS-inspecting proxy that
requires custom certificates, where it surfaces as
SSLHandshakeException: ... PKIX path building failed. Importing certificates
into every application's JVM is an impractical workaround.

This reads the token directly from the credential instead. Since the
azure-identity credentials do not cache tokens themselves — that is the SDK
pipeline's role — it is wrapped in SimpleTokenCache to preserve the token
caching and refresh the previous pipeline provided. No dependency is added (both
types come with the Azure SDK), the acquired token is unchanged, and it
continues to work with any DefaultAzureCredential chain (managed identity,
workload identity, Azure CLI, etc.).

Testing

Added unit tests in AzureInternalOpenAiHelperTests:

  • the token is resolved from the credential (no HTTP client in the path),
  • the https://cognitiveservices.azure.com/.default scope is requested,
  • the cached token is reused across calls (the credential is queried once).

./mvnw -pl models/spring-ai-openai test passes; formatting is clean.

Closes #6549

Azure OpenAI authentication acquired its bearer token through
AuthenticationUtil.getBearerTokenSupplier, which issues a live HTTPS
request to https://www.example.com on every call purely to read the
Authorization header back off the request. That extra hop is
unnecessary and fails in environments where the connection is not
permitted, such as behind a TLS-inspecting proxy requiring custom
certificates.

Acquire the token from the credential directly, caching it in a small
synchronous supplier that refreshes shortly before expiry. This drops
the example.com request while preserving the token caching the removed
pipeline provided, and keeps token acquisition off the reactive path.

Closes spring-projects#6549

Signed-off-by: subhash polisetti <subhashr161347@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Spring AI 2 authentication to Azure OpenAI fails

2 participants