Confirm this is an issue with the Python library and not an underlying OpenAI API
Describe the bug
After upgrading from openai==2.33.0 to openai==2.34.0, requests made with AzureOpenAI started returning 401 Unauthorized.
The same code works with 2.33.0 and fails with 2.34.0.
In our setup, we obtain an Azure AD access token and pass it into AzureOpenAI(..., api_key=...) while using a custom base_url that points to an Azure API Management proxy in front of Azure OpenAI.
This behavior appears to have changed between 2.33.0 and 2.34.0. My suspicion is that 2.34.0 now consistently treats api_key as an api-key header, whereas our working 2.33.0 behavior effectively allowed this token to work against our endpoint.
(this is my first github issue report, assisted by ai, feedback is welcome ofcourse!)
Expected behavior
Behavior should remain compatible across the upgrade, or the change should be documented clearly.
Concretely, one of the following would help:
>=2.34.0 preserves the prior behavior, or- the docs / changelog explicitly state that Azure AD bearer tokens must now be passed via
azure_ad_token or azure_ad_token_provider, not api_key.
Actual behavior
With openai==2.34.0, the request fails with 401 'Access denied from our endpoint.
With openai==2.33.0, the same request succeeds.
Additional context
Repository inspection suggests Azure auth behavior changed in 2.34.0, including changelog items such as:
allow explicit Azure auth headersresolve python auth type checkspreserve selected auth credentialsavoid bearer fallback for admin auth
From reading the current code, it looks like:
azure_ad_token / azure_ad_token_provider send Authorization: Bearer ...api_key sends api-key: ...
That would explain why passing an AAD bearer token in api_key now returns 401 in our APIM/proxied Azure setup.
To Reproduce
- Install
openai==2.33.0
- Run the code below: request succeeds
- Upgrade to
openai==2.34.0
- Run the exact same code: request fails with "Error code: 401 - {'error': {'code': '401', 'message': 'Access denied due to invalid subscription key or wrong API endpoint. Make sure to provide a valid key for an active subscription and use a correct regional API endpoint for your resource.'}}"
Code snippets
import os
from openai import AzureOpenAI
from azure.identity import ClientSecretCredential
client_id = dbutils.secrets.get(scope="OneLab-SecretScope", key="DataServicePrincipalClientId")
client_secret = dbutils.secrets.get(scope="OneLab-SecretScope", key="DataServicePrincipalClientSecret")
credential = ClientSecretCredential(
tenant_id="<redacted>",
client_id=client_id,
client_secret=client_secret,
)
access_token = credential.get_token("https://cognitiveservices.azure.com/.default")
os.environ["AZURE_OPENAI_TOKEN"] = access_token.token
os.environ["AZURE_OPENAI_VERSION"] = "2024-06-01"
client = AzureOpenAI(
api_key=os.environ["AZURE_OPENAI_TOKEN"],
api_version=os.environ["AZURE_OPENAI_VERSION"],
base_url="<redacted>",
)
completion = client.chat.completions.create(
model="gpt-5.1",
messages=[
{"role": "user", "content": "Hello! Could you solve 3^2?"}
]
)
print(completion)OS
Databricks runtime 18.1 & Spark 4.1.0
Python version
3.12.3
Library version
openai v2.34.0
Confirm this is an issue with the Python library and not an underlying OpenAI API
Describe the bug
After upgrading from
openai==2.33.0toopenai==2.34.0, requests made withAzureOpenAIstarted returning401 Unauthorized.The same code works with
2.33.0and fails with2.34.0.In our setup, we obtain an Azure AD access token and pass it into
AzureOpenAI(..., api_key=...)while using a custombase_urlthat points to an Azure API Management proxy in front of Azure OpenAI.This behavior appears to have changed between
2.33.0and2.34.0. My suspicion is that2.34.0now consistently treatsapi_keyas anapi-keyheader, whereas our working2.33.0behavior effectively allowed this token to work against our endpoint.(this is my first github issue report, assisted by ai, feedback is welcome ofcourse!)
Expected behavior
Behavior should remain compatible across the upgrade, or the change should be documented clearly.
Concretely, one of the following would help:
>=2.34.0preserves the prior behavior, orazure_ad_tokenorazure_ad_token_provider, notapi_key.Actual behavior
With
openai==2.34.0, the request fails with401 'Access deniedfrom our endpoint.With
openai==2.33.0, the same request succeeds.Additional context
Repository inspection suggests Azure auth behavior changed in
2.34.0, including changelog items such as:allow explicit Azure auth headersresolve python auth type checkspreserve selected auth credentialsavoid bearer fallback for admin authFrom reading the current code, it looks like:
azure_ad_token/azure_ad_token_providersendAuthorization: Bearer ...api_keysendsapi-key: ...That would explain why passing an AAD bearer token in
api_keynow returns401in our APIM/proxied Azure setup.To Reproduce
openai==2.33.0openai==2.34.0Code snippets
OS
Databricks runtime 18.1 & Spark 4.1.0
Python version
3.12.3
Library version
openai v2.34.0