Skip to content

Fix workload identity authentication for WebSockets#3485

Open
fallintoplace wants to merge 2 commits into
openai:mainfrom
fallintoplace:fix/workload-identity-websocket-auth
Open

Fix workload identity authentication for WebSockets#3485
fallintoplace wants to merge 2 commits into
openai:mainfrom
fallintoplace:fix/workload-identity-websocket-auth

Conversation

@fallintoplace

@fallintoplace fallintoplace commented Jul 10, 2026

Copy link
Copy Markdown

Summary

  • resolve workload identity bearer tokens immediately before WebSocket handshakes
  • respect socket-specific Authorization overrides and omissions before exchanging a workload token
  • share bearer-token resolution between HTTP and WebSocket transports
  • invalidate cached workload identity tokens and retry once after a 401 handshake only when workload identity authenticated the first attempt
  • cover Responses, Beta Responses, Realtime, and Beta Realtime managers in sync and async clients

Testing

  • pytest -n 0 tests/test_client.py tests/test_websocket_connection_options.py (187 passed)
  • Ruff
  • Pyright
  • mypy

The full generated API-resource suite requires the external mock server on port 4010, which was not running locally.

@fallintoplace fallintoplace requested a review from a team as a code owner July 10, 2026 20:47

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9e6f44d6d8

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread src/openai/_client.py
return f"Bearer {self._workload_identity_auth.get_token()}", True

def _websocket_auth_headers(self) -> dict[str, str]:
authorization, _ = self._resolve_auth_header(self.auth_headers.get("Authorization"))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Respect WebSocket Authorization overrides before token exchange

With a workload-identity client this resolves a workload token unconditionally, while the WebSocket managers only merge extra_headers afterward. If a caller supplies extra_headers={"Authorization": ...} or omits that header to override auth for a specific socket, that override would win later, but the workload token exchange still runs first and can fail or block the connection despite the supplied header; HTTP requests avoid this by resolving only when the merged Authorization is the workload placeholder. Consider deferring workload-token resolution until after WebSocket extra headers are considered.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant