github · lpcox · May 9, 2026 · May 8, 2026 · May 8, 2026 · May 8, 2026
diff --git a/docs/awf-config-spec.md b/docs/awf-config-spec.md
@@ -101,6 +101,12 @@ the corresponding CLI flag.
 - `apiProxy.maxEffectiveTokens` → *(config-only; no CLI equivalent)*
 - `apiProxy.modelMultipliers` → *(config-only; no CLI equivalent)*
 - `apiProxy.models` → *(config-only; model alias rewriting)*
+- `apiProxy.auth.type` → *(config-only; maps to `AWF_AUTH_TYPE`)*
+- `apiProxy.auth.oidcAudience` → *(config-only; maps to `AWF_AUTH_OIDC_AUDIENCE`)*
+- `apiProxy.auth.azureTenantId` → *(config-only; maps to `AWF_AUTH_AZURE_TENANT_ID`)*
+- `apiProxy.auth.azureClientId` → *(config-only; maps to `AWF_AUTH_AZURE_CLIENT_ID`)*
+- `apiProxy.auth.azureScope` → *(config-only; maps to `AWF_AUTH_AZURE_SCOPE`)*
+- `apiProxy.auth.azureCloud` → *(config-only; maps to `AWF_AUTH_AZURE_CLOUD`)*
 - `apiProxy.targets.<provider>.host` → `--<provider>-api-target`
 - `apiProxy.targets.openai.basePath` → `--openai-api-base-path`
 - `apiProxy.targets.anthropic.basePath` → `--anthropic-api-base-path`
@@ -325,7 +331,40 @@ COPILOT_PROVIDER_API_KEY
 Placeholder compatibility values (§9.2 item 3) are not secrets and MUST
 NOT be subject to one-shot protection.
 
-### 9.5 DIFC Proxy Credential Isolation
+### 9.5 OIDC Authentication
+
+When `apiProxy.auth.type` is set to `github-oidc`, the API proxy sidecar
+exchanges a GitHub Actions OIDC token for a provider-specific access token
+(e.g., Azure AD / Microsoft Entra). A conforming implementation MUST:
+
+1. Forward the OIDC configuration to the sidecar via the following
+   environment variables:
+
+   | Config path | Environment variable | Required | Default |
+   |-------------|----------------------|----------|---------|
+   | `apiProxy.auth.type` | `AWF_AUTH_TYPE` | ✅ | — |
+   | `apiProxy.auth.oidcAudience` | `AWF_AUTH_OIDC_AUDIENCE` | No | `api://AzureADTokenExchange` |
+   | `apiProxy.auth.azureTenantId` | `AWF_AUTH_AZURE_TENANT_ID` | No | — |
+   | `apiProxy.auth.azureClientId` | `AWF_AUTH_AZURE_CLIENT_ID` | No | — |
+   | `apiProxy.auth.azureScope` | `AWF_AUTH_AZURE_SCOPE` | No | `https://cognitiveservices.azure.com/.default` |
+   | `apiProxy.auth.azureCloud` | `AWF_AUTH_AZURE_CLOUD` | No | `public` |
+
+2. Forward the GitHub Actions OIDC runtime tokens
+   (`ACTIONS_ID_TOKEN_REQUEST_URL`, `ACTIONS_ID_TOKEN_REQUEST_TOKEN`) to
+   the sidecar when `AWF_AUTH_TYPE=github-oidc`. These are injected
+   automatically by the Actions runner when the workflow declares
+   `permissions: id-token: write`.
+
+3. NOT expose the exchanged provider token in the agent container
+   environment. The sidecar SHALL inject it into upstream request headers.
+
+> **Note:** `apiProxy.auth.azureTenantId` and `apiProxy.auth.azureClientId`
+> are required for Azure AD federated credential exchange but MAY be omitted
+> when using managed identity. See
+> [docs/api-proxy-sidecar.md](api-proxy-sidecar.md#oidc-authentication-for-azure-openai)
+> for protocol-level details.
+
+### 9.6 DIFC Proxy Credential Isolation
 
 When `security.difcProxy.host` is set, `GITHUB_TOKEN` and `GH_TOKEN` MUST
 be excluded from the agent environment. These tokens SHALL be held
@@ -343,3 +382,5 @@ exclusively by the external DIFC proxy.
   variables
 - [docs/authentication-architecture.md](authentication-architecture.md) —
   Credential isolation architecture and diagrams
+- [docs/api-proxy-sidecar.md](api-proxy-sidecar.md) — API proxy sidecar
+  configuration including OIDC authentication for Azure OpenAI
diff --git a/docs/awf-config.schema.json b/docs/awf-config.schema.json
@@ -112,6 +112,43 @@
               "type": "string"
             }
           }
+        },
+        "auth": {
+          "type": "object",
+          "description": "Authentication configuration for the API proxy sidecar. Enables OIDC-based credential exchange (e.g., GitHub OIDC → Azure AD/Entra for Azure OpenAI). See docs/awf-config-spec.md §9.5.",
+          "additionalProperties": false,
+          "properties": {
+            "type": {
+              "type": "string",
+              "enum": ["github-oidc"],
+              "description": "Authentication type. Currently only 'github-oidc' is supported. Maps to AWF_AUTH_TYPE."
+            },
+            "oidcAudience": {
+              "type": "string",
+              "description": "Audience claim for the GitHub OIDC token. Maps to AWF_AUTH_OIDC_AUDIENCE.",
+              "default": "api://AzureADTokenExchange"
+            },
+            "azureTenantId": {
+              "type": "string",
+              "description": "Azure AD tenant ID for federated credential exchange. Maps to AWF_AUTH_AZURE_TENANT_ID."
+            },
+            "azureClientId": {
+              "type": "string",
+              "description": "Azure AD application (client) ID for the federated credential. Maps to AWF_AUTH_AZURE_CLIENT_ID."
+            },
+            "azureScope": {
+              "type": "string",
+              "description": "Azure token scope. Maps to AWF_AUTH_AZURE_SCOPE.",
+              "default": "https://cognitiveservices.azure.com/.default"
+            },
+            "azureCloud": {
+              "type": "string",
+              "enum": ["public", "usgovernment", "china"],
+              "description": "Azure cloud environment. Maps to AWF_AUTH_AZURE_CLOUD.",
+              "default": "public"
+            }
+          },
+          "required": ["type"]
         }
       }
     },

diff --git a/src/awf-config-schema.json b/src/awf-config-schema.json
@@ -112,6 +112,43 @@
               "type": "string"
             }
           }
+        },
+        "auth": {
+          "type": "object",
+          "description": "Authentication configuration for the API proxy sidecar. Enables OIDC-based credential exchange (e.g., GitHub OIDC → Azure AD/Entra for Azure OpenAI). See docs/awf-config-spec.md §9.5.",
+          "additionalProperties": false,
+          "properties": {
+            "type": {
+              "type": "string",
+              "enum": ["github-oidc"],
+              "description": "Authentication type. Currently only 'github-oidc' is supported. Maps to AWF_AUTH_TYPE."
+            },
+            "oidcAudience": {
+              "type": "string",
+              "description": "Audience claim for the GitHub OIDC token. Maps to AWF_AUTH_OIDC_AUDIENCE.",
+              "default": "api://AzureADTokenExchange"
+            },
+            "azureTenantId": {
+              "type": "string",
+              "description": "Azure AD tenant ID for federated credential exchange. Maps to AWF_AUTH_AZURE_TENANT_ID."
+            },
+            "azureClientId": {
+              "type": "string",
+              "description": "Azure AD application (client) ID for the federated credential. Maps to AWF_AUTH_AZURE_CLIENT_ID."
+            },
+            "azureScope": {
+              "type": "string",
+              "description": "Azure token scope. Maps to AWF_AUTH_AZURE_SCOPE.",
+              "default": "https://cognitiveservices.azure.com/.default"
+            },
+            "azureCloud": {
+              "type": "string",
+              "enum": ["public", "usgovernment", "china"],
+              "description": "Azure cloud environment. Maps to AWF_AUTH_AZURE_CLOUD.",
+              "default": "public"
+            }
+          },
+          "required": ["type"]
         }
       }
     },
@@ -235,7 +272,7 @@
     },
     "environment": {
       "type": "object",
-      "description": "Environment variable propagation into the agent container. Variables are merged in precedence order: AWF-reserved (lowest) → envFile → envAll → CLI -e/--env (highest). When apiProxy.enabled is true, source credentials (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.) are excluded from the agent and held in the API proxy sidecar. See docs/awf-config-spec.md §8–9 for normative merge and credential isolation rules.",
+      "description": "Environment variable propagation into the agent container. Variables are merged in precedence order: AWF-reserved (lowest) → envAll → envFile → CLI -e/--env (highest). When apiProxy.enabled is true, source credentials (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.) are excluded from the agent and held in the API proxy sidecar. See docs/awf-config-spec.md §8–9 for normative merge and credential isolation rules.",
       "additionalProperties": false,
       "properties": {
         "envFile": {