improvement: handle azure workload identity authentication

[abestel]

Title:

• Handle azure workload identity authentication

Description: (optional)
So far the Azure OpenAI integration was handling authentication using Client ID / Client Secret and Managed identity using the IMDS endpoint which is deprecated in favor of Workload Identity (using the public OAuth2 endpoint of Entra ID).

This changeset aims at handling this new authentication type.

Note that this requires reading environment variables set by the Azure runtime onto the virtual machine / pod using a workload identity. It also needs to read a file on disk (containing an assertion to use to exchange against a JWT).

Motivation: (optional)

• managed identity authentication using IMDS is deprecated and should be replaced by Workload Identity authentication

Related Issues: (optional)
/

[narengogi]

hey @abestel Since you're using fs, this would work well in nodeJS environment, but not cloudflare workers, but that's fine, let me just test these changes in both the environments and go through the code 👨‍💻

[abestel]

Hey @narengogi
FYI, I rebased the branch with the latest version of main because some conflicts appeared. There was no change in the code itself.

[narengogi]

@abestel We'll test this today

[narengogi]

added minor comment, rest looks good

[b4s36t4]

We can remove the scope from here and just handling inside the getAzureWorkloadIdentityToken.

[b4s36t4]

@VisargD Please share your opinion here, we can also accept the contents of AZURE_FEDERATED_TOKEN_FILE file from header and parse it here. With this we can also make sure this works with cloudflare env as well.

[b4s36t4]

hey, @abestel Sorry for back and forth changes, everything looks good to me, just a minor change. Will merge after that.