fix: Use ad_token_provider for automatic token refresh

hunterjam · hunterjam · commit 3f039d06f2fd · 2026-01-07T11:15:45.000-05:00
- Updated orchestrator.py to use ad_token_provider instead of credential
- This ensures tokens are refreshed automatically when they expire
- Eliminates need to restart ACI container when managed identity tokens go stale
- Updated requirements.txt with agent-framework 1.0.0b260106 and dependencies
diff --git a/archive-doc-gen/src/requirements.txt b/archive-doc-gen/src/requirements.txt
@@ -1,28 +1,28 @@
-azure-identity==1.25.0
+azure-identity==1.25.1
 # Flask[async]==2.3.2
-openai==2.0.1
-azure-search-documents==11.7.0b1
-azure-storage-blob==12.26.0
-python-dotenv==1.1.1
+openai==2.14.0
+azure-search-documents==11.7.0b2
+azure-storage-blob==12.27.1
+python-dotenv==1.2.1
 azure-cosmos==4.9.0
-azure-ai-projects==1.0.0
+azure-ai-projects==2.0.0b2
 azure-ai-inference==1.0.0b9
 quart==0.20.0
-uvicorn==0.37.0
-aiohttp==3.12.15
+uvicorn==0.38.0
+aiohttp==3.13.2
 gunicorn==23.0.0
-pydantic==2.11.10
-pydantic-settings==2.10.1
+pydantic==2.12.5
+pydantic-settings==2.12.0
 flake8==7.3.0
 black==25.9.0
 autoflake==2.3.1
 isort==6.1.0
-opentelemetry-exporter-otlp-proto-grpc
+opentelemetry-exporter-otlp-proto-grpc==1.39.1
 opentelemetry-exporter-otlp-proto-http
-opentelemetry-exporter-otlp-proto-grpc
 azure-monitor-events-extension
-opentelemetry-sdk==1.37.0
-opentelemetry-api==1.37.0
-opentelemetry-semantic-conventions==0.58b0
-opentelemetry-instrumentation==0.58b0
-azure-monitor-opentelemetry==1.8.1
+opentelemetry-sdk==1.39.1
+opentelemetry-api==1.39.1
+opentelemetry-semantic-conventions==0.60b1
+opentelemetry-instrumentation
+azure-monitor-opentelemetry==1.8.1
+agent-framework==1.0.0b260106
diff --git a/content-gen/src/backend/orchestrator.py b/content-gen/src/backend/orchestrator.py
@@ -20,6 +20,9 @@
 import re
 from typing import Any, AsyncIterator, Optional, cast
 
+# Token endpoint for Azure Cognitive Services (used for Azure OpenAI)
+TOKEN_ENDPOINT = "https://cognitiveservices.azure.com/.default"
+
 from agent_framework import (
     ChatAgent,
     ChatMessage,
@@ -286,13 +289,22 @@ def _get_chat_client(self) -> AzureOpenAIChatClient:
             if not endpoint:
                 raise ValueError("AZURE_OPENAI_ENDPOINT is not configured")
             
-            # Use DefaultAzureCredential for RBAC authentication
-            logger.info("Using DefaultAzureCredential for Azure OpenAI")
+            # Use ad_token_provider for automatic token refresh
+            # This ensures tokens are refreshed automatically when they expire,
+            # avoiding 401 errors that require container restarts
+            credential = DefaultAzureCredential()
+            
+            def get_token() -> str:
+                """Token provider callable - invoked for each request to ensure fresh tokens."""
+                token = credential.get_token(TOKEN_ENDPOINT)
+                return token.token
+            
+            logger.info("Using DefaultAzureCredential with ad_token_provider for Azure OpenAI")
             self._chat_client = AzureOpenAIChatClient(
                 endpoint=endpoint,
                 deployment_name=app_settings.azure_openai.gpt_model,
                 api_version=app_settings.azure_openai.api_version,
-                credential=DefaultAzureCredential(),
+                ad_token_provider=get_token,
             )
         return self._chat_client
     
