feat(client): add support for short-lived tokens (#1185)

Author: karpetrosyan

README.md

@@ -156,6 +156,83 @@ OpenAIClient clientWithOptions = client.withOptions(optionsBuilder -> {
 
 The `withOptions()` method does not affect the original client or service.
 
+### Workload identity authentication
+
+Workload identity authentication allows applications running in cloud environments (Kubernetes, Azure, GCP) to authenticate using short-lived tokens issued by the cloud provider, instead of long-lived API keys.
+
+#### Basic setup
+
+```java
+import com.openai.auth.*;
+import com.openai.client.OpenAIClient;
+import com.openai.client.okhttp.OpenAIOkHttpClient;
+
+SubjectTokenProvider provider = K8sServiceAccountTokenProvider.builder().build();
+
+WorkloadIdentity workloadIdentity = WorkloadIdentity.builder()
+    .clientId("your-client-id")
+    .identityProviderId("your-identity-provider-id")
+    .serviceAccountId("your-service-account-id")
+    .provider(provider)
+    .build();
+
+OpenAIClient client = OpenAIOkHttpClient.builder()
+    .workloadIdentity(workloadIdentity)
+    .build();
+```
+
+#### Kubernetes service account token provider
+
+```java
+// Use default token path (/var/run/secrets/kubernetes.io/serviceaccount/token)
+SubjectTokenProvider provider = K8sServiceAccountTokenProvider.builder().build();
+```
+
+```java
+// Or specify a custom token path
+SubjectTokenProvider provider = K8sServiceAccountTokenProvider.builder()
+    .tokenPath("/custom/path/to/token")
+    .build();
+```
+
+#### Azure Managed Identity provider
+
+```java
+import com.openai.auth.*;
+
+// Use defaults (resource: https://management.azure.com/, api-version: 2018-02-01)
+SubjectTokenProvider provider = AzureManagedIdentityTokenProvider.builder()
+    .build();
+```
+
+```java
+import com.openai.auth.*;
+
+// Or customize
+SubjectTokenProvider provider = AzureManagedIdentityTokenProvider.builder()
+    .resource("https://management.azure.com/")
+    .apiVersion("2018-02-01")
+    .build();
+```
+
+#### GCP ID token provider
+
+```java
+import com.openai.auth.*;
+
+SubjectTokenProvider provider = GcpIdTokenProvider.builder()
+    .build();
+```
+
+```java
+import com.openai.auth.*;
+
+// Or customize the audience
+SubjectTokenProvider provider = GcpIdTokenProvider.builder()
+    .audience("https://api.openai.com/v1")
+    .build();
+```
+
 ## Requests and responses
 
 To send a request to the OpenAI API, build an instance of some `Params` class and pass it to the corresponding client method. When the response is received, it will be deserialized into an instance of a Java class.

openai-java-client-okhttp/src/main/kotlin/com/openai/client/okhttp/OpenAIOkHttpClient.kt

@@ -3,6 +3,7 @@
 package com.openai.client.okhttp
 
 import com.fasterxml.jackson.databind.json.JsonMapper
+import com.openai.auth.WorkloadIdentity
 import com.openai.azure.AzureOpenAIServiceVersion
 import com.openai.azure.AzureUrlPathMode
 import com.openai.client.OpenAIClient
@@ -277,6 +278,14 @@ class OpenAIOkHttpClient private constructor() {
 
         fun credential(credential: Credential) = apply { clientOptions.credential(credential) }
 
+        fun workloadIdentity(workloadIdentity: WorkloadIdentity?) = apply {
+            clientOptions.workloadIdentity(workloadIdentity)
+        }
+
+        /** Alias for calling [Builder.workloadIdentity] with `workloadIdentity.orElse(null)`. */
+        fun workloadIdentity(workloadIdentity: Optional<WorkloadIdentity>) =
+            workloadIdentity(workloadIdentity.getOrNull())
+
         fun azureServiceVersion(azureServiceVersion: AzureOpenAIServiceVersion) = apply {
             clientOptions.azureServiceVersion(azureServiceVersion)
         }

openai-java-client-okhttp/src/main/kotlin/com/openai/client/okhttp/OpenAIOkHttpClientAsync.kt

@@ -3,6 +3,7 @@
 package com.openai.client.okhttp
 
 import com.fasterxml.jackson.databind.json.JsonMapper
+import com.openai.auth.WorkloadIdentity
 import com.openai.azure.AzureOpenAIServiceVersion
 import com.openai.azure.AzureUrlPathMode
 import com.openai.client.OpenAIClientAsync
@@ -277,6 +278,14 @@ class OpenAIOkHttpClientAsync private constructor() {
 
         fun credential(credential: Credential) = apply { clientOptions.credential(credential) }
 
+        fun workloadIdentity(workloadIdentity: WorkloadIdentity?) = apply {
+            clientOptions.workloadIdentity(workloadIdentity)
+        }
+
+        /** Alias for calling [Builder.workloadIdentity] with `workloadIdentity.orElse(null)`. */
+        fun workloadIdentity(workloadIdentity: Optional<WorkloadIdentity>) =
+            workloadIdentity(workloadIdentity.getOrNull())
+
         fun azureServiceVersion(azureServiceVersion: AzureOpenAIServiceVersion) = apply {
             clientOptions.azureServiceVersion(azureServiceVersion)
         }

openai-java-core/src/main/kotlin/com/openai/auth/AzureManagedIdentityTokenProvider.kt

@@ -0,0 +1,144 @@
+package com.openai.auth
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties
+import com.fasterxml.jackson.annotation.JsonProperty
+import com.fasterxml.jackson.databind.json.JsonMapper
+import com.fasterxml.jackson.module.kotlin.jacksonTypeRef
+import com.openai.core.http.HttpClient
+import com.openai.core.http.HttpMethod
+import com.openai.core.http.HttpRequest
+import com.openai.errors.SubjectTokenProviderException
+import java.util.concurrent.CompletableFuture
+import java.util.concurrent.CompletionException
+
+private const val DEFAULT_AUDIENCE = "https://management.azure.com/"
+private const val DEFAULT_AZURE_API_VERSION = "2018-02-01"
+private const val AZURE_IMDS_BASE_URL = "http://169.254.169.254/metadata/identity/oauth2/token"
+
+/**
+ * A [SubjectTokenProvider] that fetches an identity token from the Azure Instance Metadata Service
+ * (IMDS).
+ *
+ * It calls the local IMDS endpoint and returns the `access_token` from the response.
+ */
+class AzureManagedIdentityTokenProvider
+private constructor(private val resource: String, private val apiVersion: String) :
+    SubjectTokenProvider {
+
+    override fun tokenType(): SubjectTokenType = SubjectTokenType.JWT
+
+    override fun getToken(httpClient: HttpClient, jsonMapper: JsonMapper): String {
+        val request =
+            HttpRequest.builder()
+                .method(HttpMethod.GET)
+                .baseUrl(AZURE_IMDS_BASE_URL)
+                .putHeader("Metadata", "true")
+                .putQueryParam("api-version", apiVersion)
+                .putQueryParam("resource", resource)
+                .build()
+
+        return try {
+            val response = httpClient.execute(request)
+            response.use {
+                if (response.statusCode() != 200) {
+                    throw SubjectTokenProviderException(
+                        provider = "azure-imds",
+                        message = "IMDS returned status ${response.statusCode()}",
+                    )
+                }
+
+                val result =
+                    jsonMapper.readValue(response.body(), jacksonTypeRef<AzureIMDSResponse>())
+
+                if (result.accessToken.isEmpty()) {
+                    throw SubjectTokenProviderException(
+                        provider = "azure-imds",
+                        message = "IMDS response missing 'access_token' field",
+                    )
+                }
+
+                result.accessToken
+            }
+        } catch (e: SubjectTokenProviderException) {
+            throw e
+        } catch (e: Exception) {
+            throw SubjectTokenProviderException(
+                provider = "azure-imds",
+                message = "failed to fetch token from IMDS",
+                cause = e,
+            )
+        }
+    }
+
+    override fun getTokenAsync(
+        httpClient: HttpClient,
+        jsonMapper: JsonMapper,
+    ): CompletableFuture<String> {
+        val request =
+            HttpRequest.builder()
+                .method(HttpMethod.GET)
+                .baseUrl(AZURE_IMDS_BASE_URL)
+                .putHeader("Metadata", "true")
+                .putQueryParam("api-version", apiVersion)
+                .putQueryParam("resource", resource)
+                .build()
+
+        return httpClient
+            .executeAsync(request)
+            .thenApply { response ->
+                response.use {
+                    if (response.statusCode() != 200) {
+                        throw SubjectTokenProviderException(
+                            provider = "azure-imds",
+                            message = "IMDS returned status ${response.statusCode()}",
+                        )
+                    }
+
+                    val result =
+                        jsonMapper.readValue(response.body(), jacksonTypeRef<AzureIMDSResponse>())
+
+                    if (result.accessToken.isEmpty()) {
+                        throw SubjectTokenProviderException(
+                            provider = "azure-imds",
+                            message = "IMDS response missing 'access_token' field",
+                        )
+                    }
+
+                    result.accessToken
+                }
+            }
+            .exceptionally { e ->
+                val cause = if (e is CompletionException) e.cause ?: e else e
+                if (cause is SubjectTokenProviderException) throw cause
+                throw SubjectTokenProviderException(
+                    provider = "azure-imds",
+                    message = "failed to fetch token from IMDS",
+                    cause = cause,
+                )
+            }
+    }
+
+    @JsonIgnoreProperties(ignoreUnknown = true)
+    private data class AzureIMDSResponse(@JsonProperty("access_token") val accessToken: String)
+
+    companion object {
+        @JvmStatic fun builder() = Builder()
+    }
+
+    class Builder internal constructor() {
+
+        private var resource: String = DEFAULT_AUDIENCE
+        private var apiVersion: String = DEFAULT_AZURE_API_VERSION
+
+        /**
+         * The Azure resource URI to request a token for (default: `https://management.azure.com/`).
+         */
+        fun resource(resource: String) = apply { this.resource = resource }
+
+        /** The IMDS API version to use (default: `2018-02-01`). */
+        fun apiVersion(apiVersion: String) = apply { this.apiVersion = apiVersion }
+
+        fun build(): AzureManagedIdentityTokenProvider =
+            AzureManagedIdentityTokenProvider(resource, apiVersion)
+    }
+}