diff --git a/src/openai/__init__.py b/src/openai/__init__.py index 226fed9554..e5e623464c 100644 --- a/src/openai/__init__.py +++ b/src/openai/__init__.py @@ -9,7 +9,18 @@ from . import types from ._types import NOT_GIVEN, Omit, NoneType, NotGiven, Transport, ProxiesTypes from ._utils import file_from_path -from ._client import Client, OpenAI, Stream, Timeout, Transport, AsyncClient, AsyncOpenAI, AsyncStream, RequestOptions +from ._client import ( + Client, + OpenAI, + Stream, + Timeout, + Transport, + AsyncClient, + AsyncOpenAI, + AsyncStream, + AuthProvider, + RequestOptions, +) from ._models import BaseModel from ._version import __title__, __version__ from ._response import APIResponse as APIResponse, AsyncAPIResponse as AsyncAPIResponse @@ -119,6 +130,8 @@ api_key: str | None = None +auth_provider: AuthProvider | None = None + organization: str | None = None project: str | None = None @@ -165,6 +178,17 @@ def api_key(self, value: str | None) -> None: # type: ignore api_key = value + @property # type: ignore + @override + def auth_provider(self) -> AuthProvider | None: + return auth_provider + + @auth_provider.setter # type: ignore + def auth_provider(self, value: AuthProvider | None) -> None: # type: ignore + global auth_provider + + auth_provider = value + @property # type: ignore @override def organization(self) -> str | None: @@ -348,6 +372,7 @@ def _load_client() -> OpenAI: # type: ignore[reportUnusedFunction] _client = _ModuleClient( api_key=api_key, + auth_provider=auth_provider, organization=organization, project=project, webhook_secret=webhook_secret, diff --git a/src/openai/_client.py b/src/openai/_client.py index ed9b46f4b0..dc679feb49 100644 --- a/src/openai/_client.py +++ b/src/openai/_client.py @@ -3,7 +3,7 @@ from __future__ import annotations import os -from typing import TYPE_CHECKING, Any, Union, Mapping +from typing import TYPE_CHECKING, Any, Union, Mapping, Callable, Awaitable from typing_extensions import Self, override import httpx @@ -25,6 +25,7 @@ get_async_library, ) from ._compat import cached_property +from ._models import FinalRequestOptions from ._version import __version__ from ._streaming import Stream as Stream, AsyncStream as AsyncStream from ._exceptions import OpenAIError, APIStatusError @@ -73,6 +74,9 @@ __all__ = ["Timeout", "Transport", "ProxiesTypes", "RequestOptions", "OpenAI", "AsyncOpenAI", "Client", "AsyncClient"] +AuthProvider = Callable[[], "str | dict[str, str]"] +AsyncAuthProvider = Callable[[], Awaitable["str | dict[str, str]"]] + class OpenAI(SyncAPIClient): # client options @@ -93,6 +97,7 @@ def __init__( self, *, api_key: str | None = None, + auth_provider: AuthProvider | None = None, organization: str | None = None, project: str | None = None, webhook_secret: str | None = None, @@ -124,13 +129,16 @@ def __init__( - `project` from `OPENAI_PROJECT_ID` - `webhook_secret` from `OPENAI_WEBHOOK_SECRET` """ + if api_key and auth_provider: + raise ValueError("The `api_key` and `auth_provider` arguments are mutually exclusive") if api_key is None: api_key = os.environ.get("OPENAI_API_KEY") - if api_key is None: + if api_key is None and auth_provider is None: raise OpenAIError( - "The api_key client option must be set either by passing api_key to the client or by setting the OPENAI_API_KEY environment variable" + "The api_key or auth_provider client option must be set either by passing api_key or auth_provider to the client or by setting the OPENAI_API_KEY environment variable" ) - self.api_key = api_key + self.auth_provider = auth_provider + self.api_key = api_key or "" if organization is None: organization = os.environ.get("OPENAI_ORG_ID") @@ -163,6 +171,7 @@ def __init__( ) self._default_stream_cls = Stream + self._auth_headers: dict[str, str] = {} @cached_property def completions(self) -> Completions: @@ -279,14 +288,27 @@ def with_streaming_response(self) -> OpenAIWithStreamedResponse: def qs(self) -> Querystring: return Querystring(array_format="brackets") + def refresh_auth_headers(self) -> None: + secret = self.auth_provider() if self.auth_provider else self.api_key + if not secret: + # if secret is an empty string, encoding the header will fail + # so we set it to an empty dict + # this is to avoid sending an invalid Authorization header + self._auth_headers = {} + elif isinstance(secret, str): + self._auth_headers = {"Authorization": f"Bearer {secret}"} + else: + self._auth_headers = secret + + @override + def _prepare_options(self, options: FinalRequestOptions) -> FinalRequestOptions: + self.refresh_auth_headers() + return super()._prepare_options(options) + @property @override def auth_headers(self) -> dict[str, str]: - api_key = self.api_key - if not api_key: - # if the api key is an empty string, encoding the header will fail - return {} - return {"Authorization": f"Bearer {api_key}"} + return self._auth_headers @property @override @@ -303,6 +325,7 @@ def copy( self, *, api_key: str | None = None, + auth_provider: AuthProvider | None = None, organization: str | None = None, project: str | None = None, webhook_secret: str | None = None, @@ -338,6 +361,10 @@ def copy( elif set_default_query is not None: params = set_default_query + auth_provider = auth_provider or self.auth_provider + if auth_provider is not None: + _extra_kwargs = {**_extra_kwargs, "auth_provider": auth_provider} + http_client = http_client or self._client return self.__class__( api_key=api_key or self.api_key, @@ -412,6 +439,7 @@ def __init__( self, *, api_key: str | None = None, + auth_provider: AsyncAuthProvider | None = None, organization: str | None = None, project: str | None = None, webhook_secret: str | None = None, @@ -443,13 +471,16 @@ def __init__( - `project` from `OPENAI_PROJECT_ID` - `webhook_secret` from `OPENAI_WEBHOOK_SECRET` """ + if api_key and auth_provider: + raise ValueError("The `api_key` and `auth_provider` arguments are mutually exclusive") if api_key is None: api_key = os.environ.get("OPENAI_API_KEY") - if api_key is None: + if api_key is None and auth_provider is None: raise OpenAIError( - "The api_key client option must be set either by passing api_key to the client or by setting the OPENAI_API_KEY environment variable" + "The api_key or auth_provider client option must be set either by passing api_key or auth_provider to the client or by setting the OPENAI_API_KEY environment variable" ) - self.api_key = api_key + self.auth_provider = auth_provider + self.api_key = api_key or "" if organization is None: organization = os.environ.get("OPENAI_ORG_ID") @@ -482,6 +513,7 @@ def __init__( ) self._default_stream_cls = AsyncStream + self._auth_headers: dict[str, str] = {} @cached_property def completions(self) -> AsyncCompletions: @@ -598,14 +630,30 @@ def with_streaming_response(self) -> AsyncOpenAIWithStreamedResponse: def qs(self) -> Querystring: return Querystring(array_format="brackets") + async def refresh_auth_headers(self) -> None: + if self.auth_provider: + secret = await self.auth_provider() + else: + secret = self.api_key + if not secret: + # if the secret is an empty string, encoding the header will fail + # so we set it to an empty dict + # this is to avoid sending an invalid Authorization header + self._auth_headers = {} + elif isinstance(secret, str): + self._auth_headers = {"Authorization": f"Bearer {secret}"} + else: + self._auth_headers = secret + + @override + async def _prepare_options(self, options: FinalRequestOptions) -> FinalRequestOptions: + await self.refresh_auth_headers() + return await super()._prepare_options(options) + @property @override def auth_headers(self) -> dict[str, str]: - api_key = self.api_key - if not api_key: - # if the api key is an empty string, encoding the header will fail - return {} - return {"Authorization": f"Bearer {api_key}"} + return self._auth_headers @property @override @@ -622,6 +670,7 @@ def copy( self, *, api_key: str | None = None, + auth_provider: AsyncAuthProvider | None = None, organization: str | None = None, project: str | None = None, webhook_secret: str | None = None, @@ -657,6 +706,10 @@ def copy( elif set_default_query is not None: params = set_default_query + auth_provider = auth_provider or self.auth_provider + if auth_provider is not None: + _extra_kwargs = {**_extra_kwargs, "auth_provider": auth_provider} + http_client = http_client or self._client return self.__class__( api_key=api_key or self.api_key, diff --git a/src/openai/lib/azure.py b/src/openai/lib/azure.py index a994e4256c..95a3d3e9c3 100644 --- a/src/openai/lib/azure.py +++ b/src/openai/lib/azure.py @@ -255,7 +255,7 @@ def __init__( self._azure_endpoint = httpx.URL(azure_endpoint) if azure_endpoint else None @override - def copy( + def copy( # type: ignore self, *, api_key: str | None = None, @@ -301,7 +301,7 @@ def copy( }, ) - with_options = copy + with_options = copy # type: ignore def _get_azure_ad_token(self) -> str | None: if self._azure_ad_token is not None: @@ -536,7 +536,7 @@ def __init__( self._azure_endpoint = httpx.URL(azure_endpoint) if azure_endpoint else None @override - def copy( + def copy( # type: ignore self, *, api_key: str | None = None, @@ -582,7 +582,7 @@ def copy( }, ) - with_options = copy + with_options = copy # type: ignore async def _get_azure_ad_token(self) -> str | None: if self._azure_ad_token is not None: diff --git a/src/openai/resources/beta/realtime/realtime.py b/src/openai/resources/beta/realtime/realtime.py index 8e1b558cf3..beff8eb582 100644 --- a/src/openai/resources/beta/realtime/realtime.py +++ b/src/openai/resources/beta/realtime/realtime.py @@ -358,6 +358,7 @@ async def __aenter__(self) -> AsyncRealtimeConnection: raise OpenAIError("You need to install `openai[realtime]` to use this method") from exc extra_query = self.__extra_query + await self.__client.refresh_auth_headers() auth_headers = self.__client.auth_headers if is_async_azure_client(self.__client): url, auth_headers = await self.__client._configure_realtime(self.__model, extra_query) @@ -540,6 +541,7 @@ def __enter__(self) -> RealtimeConnection: raise OpenAIError("You need to install `openai[realtime]` to use this method") from exc extra_query = self.__extra_query + self.__client.refresh_auth_headers() auth_headers = self.__client.auth_headers if is_azure_client(self.__client): url, auth_headers = self.__client._configure_realtime(self.__model, extra_query) diff --git a/tests/test_client.py b/tests/test_client.py index ccda50a7f0..91ad7e06ba 100644 --- a/tests/test_client.py +++ b/tests/test_client.py @@ -11,7 +11,7 @@ import inspect import subprocess import tracemalloc -from typing import Any, Union, cast +from typing import Any, Union, Protocol, cast from textwrap import dedent from unittest import mock from typing_extensions import Literal @@ -41,6 +41,10 @@ api_key = "My API Key" +class MockRequestCall(Protocol): + request: httpx.Request + + def _get_params(client: BaseClient[Any, Any]) -> dict[str, str]: request = client._build_request(FinalRequestOptions(method="get", url="/foo")) url = httpx.URL(request.url) @@ -337,7 +341,9 @@ def test_default_headers_option(self) -> None: def test_validate_headers(self) -> None: client = OpenAI(base_url=base_url, api_key=api_key, _strict_response_validation=True) - request = client._build_request(FinalRequestOptions(method="get", url="/foo")) + options = client._prepare_options(FinalRequestOptions(method="get", url="/foo")) + request = client._build_request(options) + assert request.headers.get("Authorization") == f"Bearer {api_key}" with pytest.raises(OpenAIError): @@ -939,6 +945,68 @@ def test_follow_redirects_disabled(self, respx_mock: MockRouter) -> None: assert exc_info.value.response.status_code == 302 assert exc_info.value.response.headers["Location"] == f"{base_url}/redirected" + def test_refresh_auth_headers_str_token(self) -> None: + client = OpenAI(base_url=base_url, auth_provider=lambda: "test_bearer_token") + client.refresh_auth_headers() + assert client.auth_headers.get("Authorization") == "Bearer test_bearer_token" + + def test_refresh_auth_headers_dict(self) -> None: + client = OpenAI(base_url=base_url, auth_provider=lambda: {"Authorization": "Bearer test_bearer_token"}) + client.refresh_auth_headers() + assert client.auth_headers == {"Authorization": "Bearer test_bearer_token"} + + def test_refresh_auth_headers_key(self) -> None: + client = OpenAI(base_url=base_url, api_key="test_api_key") + client.refresh_auth_headers() + assert client.auth_headers.get("Authorization") == "Bearer test_api_key" + + @pytest.mark.respx() + def test_auth_provider_refresh(self, respx_mock: MockRouter) -> None: + respx_mock.post(base_url + "/chat/completions").mock( + side_effect=[ + httpx.Response(500, json={"error": "server error"}), + httpx.Response(200, json={"foo": "bar"}), + ] + ) + + counter = 0 + + def auth_provider() -> str: + nonlocal counter + + counter += 1 + + if counter == 1: + return "first" + + return "second" + + client = OpenAI(base_url=base_url, auth_provider=auth_provider) + client.chat.completions.create(messages=[], model="gpt-4") + + calls = cast("list[MockRequestCall]", respx_mock.calls) + assert len(calls) == 2 + + assert calls[0].request.headers.get("Authorization") == "Bearer first" + assert calls[1].request.headers.get("Authorization") == "Bearer second" + + def test_auth_mutually_exclusive(self) -> None: + with pytest.raises(ValueError) as exc_info: + OpenAI(base_url=base_url, api_key=api_key, auth_provider=lambda: "test_bearer_token") + assert str(exc_info.value) == "The `api_key` and `auth_provider` arguments are mutually exclusive" + + def test_copy_auth(self) -> None: + client = OpenAI(base_url=base_url, auth_provider=lambda: "test_bearer_token_1").copy( + auth_provider=lambda: "test_bearer_token_2" + ) + client.refresh_auth_headers() + assert client.auth_headers == {"Authorization": "Bearer test_bearer_token_2"} + + def test_copy_auth_mutually_exclusive(self) -> None: + with pytest.raises(ValueError) as exc_info: + OpenAI(base_url=base_url, api_key=api_key).copy(auth_provider=lambda: "test_bearer_token") + assert str(exc_info.value) == "The `api_key` and `auth_provider` arguments are mutually exclusive" + class TestAsyncOpenAI: client = AsyncOpenAI(base_url=base_url, api_key=api_key, _strict_response_validation=True) @@ -1220,9 +1288,10 @@ def test_default_headers_option(self) -> None: assert request.headers.get("x-foo") == "stainless" assert request.headers.get("x-stainless-lang") == "my-overriding-header" - def test_validate_headers(self) -> None: + async def test_validate_headers(self) -> None: client = AsyncOpenAI(base_url=base_url, api_key=api_key, _strict_response_validation=True) - request = client._build_request(FinalRequestOptions(method="get", url="/foo")) + options = await client._prepare_options(FinalRequestOptions(method="get", url="/foo")) + request = client._build_request(options) assert request.headers.get("Authorization") == f"Bearer {api_key}" with pytest.raises(OpenAIError): @@ -1887,3 +1956,86 @@ async def test_follow_redirects_disabled(self, respx_mock: MockRouter) -> None: assert exc_info.value.response.status_code == 302 assert exc_info.value.response.headers["Location"] == f"{base_url}/redirected" + + @pytest.mark.asyncio + async def test_refresh_auth_headers_str_token_async(self) -> None: + async def auth_provider() -> str: + return "test_bearer_token" + + client = AsyncOpenAI(base_url=base_url, auth_provider=auth_provider) + await client.refresh_auth_headers() + assert client.auth_headers.get("Authorization") == "Bearer test_bearer_token" + + @pytest.mark.asyncio + async def test_refresh_auth_headers_dict_async(self) -> None: + async def auth_provider() -> dict[str, str]: + return {"Authorization": "Bearer test_bearer_token"} + + client = AsyncOpenAI(base_url=base_url, auth_provider=auth_provider) + await client.refresh_auth_headers() + assert client.auth_headers == {"Authorization": "Bearer test_bearer_token"} + + @pytest.mark.asyncio + async def test_refresh_auth_headers_key_async(self) -> None: + client = AsyncOpenAI(base_url=base_url, api_key="test_api_key") + await client.refresh_auth_headers() + assert client.auth_headers.get("Authorization") == "Bearer test_api_key" + + @pytest.mark.asyncio + @pytest.mark.respx() + async def test_bearer_token_refresh_async(self, respx_mock: MockRouter) -> None: + respx_mock.post(base_url + "/chat/completions").mock( + side_effect=[ + httpx.Response(500, json={"error": "server error"}), + httpx.Response(200, json={"foo": "bar"}), + ] + ) + + counter = 0 + + async def auth_provider() -> str: + nonlocal counter + + counter += 1 + + if counter == 1: + return "first" + + return "second" + + client = AsyncOpenAI(base_url=base_url, auth_provider=auth_provider) + await client.chat.completions.create(messages=[], model="gpt-4") + + calls = cast("list[MockRequestCall]", respx_mock.calls) + assert len(calls) == 2 + + assert calls[0].request.headers.get("Authorization") == "Bearer first" + assert calls[1].request.headers.get("Authorization") == "Bearer second" + + def test_auth_mutually_exclusive_async(self) -> None: + async def auth_provider() -> str: + return "test_bearer_token" + + with pytest.raises(ValueError) as exc_info: + AsyncOpenAI(base_url=base_url, api_key=api_key, auth_provider=auth_provider) + assert str(exc_info.value) == "The `api_key` and `auth_provider` arguments are mutually exclusive" + + @pytest.mark.asyncio + async def test_copy_auth(self) -> None: + async def auth_provider_1() -> str: + return "test_bearer_token_1" + + async def auth_provider_2() -> str: + return "test_bearer_token_2" + + client = AsyncOpenAI(base_url=base_url, auth_provider=auth_provider_1).copy(auth_provider=auth_provider_2) + await client.refresh_auth_headers() + assert client.auth_headers == {"Authorization": "Bearer test_bearer_token_2"} + + def test_copy_auth_mutually_exclusive_async(self) -> None: + async def auth_provider() -> str: + return "test_bearer_token" + + with pytest.raises(ValueError) as exc_info: + AsyncOpenAI(base_url=base_url, api_key=api_key).copy(auth_provider=auth_provider) + assert str(exc_info.value) == "The `api_key` and `auth_provider` arguments are mutually exclusive" diff --git a/tests/test_module_client.py b/tests/test_module_client.py index 9c9a1addab..862fe713db 100644 --- a/tests/test_module_client.py +++ b/tests/test_module_client.py @@ -15,6 +15,7 @@ def reset_state() -> None: openai._reset_client() openai.api_key = None or "My API Key" + openai.auth_provider = None openai.organization = None openai.project = None openai.webhook_secret = None @@ -97,6 +98,28 @@ def test_http_client_option() -> None: assert openai.completions._client._client is new_client +def test_auth_provider_str_option() -> None: + assert openai.auth_provider is None + assert openai.completions._client.auth_provider is None + + openai.auth_provider = lambda: "foo" + + assert openai.auth_provider() == "foo" + assert openai.completions._client.auth_provider + assert openai.completions._client.auth_provider() == "foo" + + +def test_auth_provider_dict_option() -> None: + assert openai.auth_provider is None + assert openai.completions._client.auth_provider is None + + openai.auth_provider = lambda: {"foo": "bar"} + + assert openai.auth_provider() == {"foo": "bar"} + assert openai.completions._client.auth_provider + assert openai.completions._client.auth_provider() == {"foo": "bar"} + + import contextlib from typing import Iterator @@ -123,6 +146,27 @@ def test_only_api_key_results_in_openai_api() -> None: assert type(openai.completions._client).__name__ == "_ModuleClient" +def test_only_auth_provider_in_openai_api() -> None: + with fresh_env(): + openai.api_type = None + openai.api_key = None + openai.auth_provider = lambda: "example bearer token" + + assert type(openai.completions._client).__name__ == "_ModuleClient" + + +def test_both_api_key_and_auth_provider_in_openai_api() -> None: + with fresh_env(): + openai.api_key = "example API key" + openai.auth_provider = lambda: "example bearer token" + + with pytest.raises( + ValueError, + match=r"The `api_key` and `auth_provider` arguments are mutually exclusive", + ): + openai.completions._client # noqa: B018 + + def test_azure_api_key_env_without_api_version() -> None: with fresh_env(): openai.api_type = None