fix: update azure workload identity authentication to use federated token directly

Adrien Bestel · Adrien Bestel · commit 23d8e2df2262 · 2025-11-17T17:30:30.000Z
The environment already reads the value of the file, which made the second read with the actual token fail.
diff --git a/src/providers/azure-ai-inference/api.ts b/src/providers/azure-ai-inference/api.ts
@@ -109,25 +109,20 @@ const AzureAIInferenceAPI: ProviderAPIConfig = {
       const authorityHost = Environment(c).AZURE_AUTHORITY_HOST;
       const tenantId = Environment(c).AZURE_TENANT_ID;
       const clientId = azureWorkloadClientId || Environment(c).AZURE_CLIENT_ID;
-      const federatedTokenFile = Environment(c).AZURE_FEDERATED_TOKEN_FILE;
-
-      if (authorityHost && tenantId && clientId && federatedTokenFile) {
-        const fs = await import('fs');
-        const federatedToken = fs.readFileSync(federatedTokenFile, 'utf8');
-
-        if (federatedToken) {
-          const scope = 'https://cognitiveservices.azure.com/.default';
-          const accessToken = await getAzureWorkloadIdentityToken(
-            authorityHost,
-            tenantId,
-            clientId,
-            federatedToken,
-            scope
-          );
-          return {
-            Authorization: `Bearer ${accessToken}`,
-          };
-        }
+      const federatedToken = Environment(c).AZURE_FEDERATED_TOKEN;
+
+      if (authorityHost && tenantId && clientId && federatedToken) {
+        const scope = 'https://cognitiveservices.azure.com/.default';
+        const accessToken = await getAzureWorkloadIdentityToken(
+          authorityHost,
+          tenantId,
+          clientId,
+          federatedToken,
+          scope
+        );
+        return {
+          Authorization: `Bearer ${accessToken}`,
+        };
       }
     }
 
diff --git a/src/providers/azure-openai/api.ts b/src/providers/azure-openai/api.ts
@@ -56,25 +56,20 @@ const AzureOpenAIAPIConfig: ProviderAPIConfig = {
       const authorityHost = Environment(c).AZURE_AUTHORITY_HOST;
       const tenantId = Environment(c).AZURE_TENANT_ID;
       const clientId = azureWorkloadClientId || Environment(c).AZURE_CLIENT_ID;
-      const federatedTokenFile = Environment(c).AZURE_FEDERATED_TOKEN_FILE;
+      const federatedToken = Environment(c).AZURE_FEDERATED_TOKEN;
 
-      if (authorityHost && tenantId && clientId && federatedTokenFile) {
-        const fs = await import('fs');
-        const federatedToken = fs.readFileSync(federatedTokenFile, 'utf8');
-
-        if (federatedToken) {
-          const scope = 'https://cognitiveservices.azure.com/.default';
-          const accessToken = await getAzureWorkloadIdentityToken(
-            authorityHost,
-            tenantId,
-            clientId,
-            federatedToken,
-            scope
-          );
-          return {
-            Authorization: `Bearer ${accessToken}`,
-          };
-        }
+      if (authorityHost && tenantId && clientId && federatedToken) {
+        const scope = 'https://cognitiveservices.azure.com/.default';
+        const accessToken = await getAzureWorkloadIdentityToken(
+          authorityHost,
+          tenantId,
+          clientId,
+          federatedToken,
+          scope
+        );
+        return {
+          Authorization: `Bearer ${accessToken}`,
+        };
       }
     }
     const headersObj: Record<string, string> = {
diff --git a/src/utils/env.ts b/src/utils/env.ts
@@ -102,7 +102,7 @@ const nodeEnv = {
   ),
   AZURE_TENANT_ID: getValueOrFileContents(process.env.AZURE_TENANT_ID),
   AZURE_CLIENT_ID: getValueOrFileContents(process.env.AZURE_CLIENT_ID),
-  AZURE_FEDERATED_TOKEN_FILE: getValueOrFileContents(
+  AZURE_FEDERATED_TOKEN: getValueOrFileContents(
     process.env.AZURE_FEDERATED_TOKEN_FILE
   ),
 
