Skip to main content

Crate agent_framework_azure

Crate agent_framework_azure 

Source
Expand description

§agent-framework-azure

An Azure OpenAI ChatClient for agent-framework-rs, supporting both static API-key and Microsoft Entra ID (OAuth bearer token) authentication.

Azure OpenAI’s Chat Completions wire format is identical to OpenAI’s, so request/response conversion is reused from [agent_framework_openai::convert] rather than duplicated — only the URL shape ({endpoint}/openai/deployments/{deployment}/chat/completions) and authentication differ.

use agent_framework_azure::AzureOpenAIClient;
use agent_framework_core::prelude::*;

let client = AzureOpenAIClient::new(
    "https://my-resource.openai.azure.com",
    "my-gpt4o-deployment",
    "my-api-key",
);
let agent = Agent::builder(client)
    .instructions("You are concise.")
    .build();
let reply = agent.run_once("Say hi").await?;
println!("{}", reply.text());

Entra ID (bearer token) authentication instead of a static key:

use std::sync::Arc;
use agent_framework_azure::{AzureOpenAIClient, StaticTokenCredential};

let credential = Arc::new(StaticTokenCredential::new("eyJ0eXAi..."));
let client = AzureOpenAIClient::with_token_credential(
    "https://my-resource.openai.azure.com",
    "my-gpt4o-deployment",
    credential,
);

A real Microsoft Entra ID credential chain — try a managed identity, then a client secret, then the Azure CLI, whichever succeeds first (each caches and refreshes tokens for the configured scope):

use std::sync::Arc;
use agent_framework_azure::{
    AzureCliCredential, ChainedTokenCredential, ClientSecretCredential,
    ManagedIdentityCredential, TokenCredential,
};

let scope = "https://cognitiveservices.azure.com/.default";
let chain = ChainedTokenCredential::new(vec![
    Arc::new(ManagedIdentityCredential::new(scope)),
    Arc::new(ClientSecretCredential::new("tenant", "client", "secret", scope)),
    Arc::new(AzureCliCredential::new(scope)),
]);
let token = chain.get_token().await?;

Re-exports§

pub use embeddings::AzureOpenAIEmbeddingClient;
pub use responses::AzureOpenAIResponsesClient;

Modules§

embeddings
Azure OpenAI embeddings client.
responses
AzureOpenAIResponsesClient: a ChatClient for the Responses API on Azure OpenAI (POST {endpoint}/openai/v1/responses).

Structs§

AzureCliCredential
Authenticates by shelling out to the Azure CLI (az account get-access-token --scope <scope> --output json).
AzureOpenAIClient
An Azure OpenAI chat client (POST {endpoint}/openai/deployments/{deployment}/chat/completions).
ChainedTokenCredential
Tries a sequence of credentials in order, returning the first token obtained. The index of the first credential to succeed is remembered and tried first on subsequent calls (re-remembered if a different one later wins), mirroring azure_identity’s ChainedTokenCredential.
ClientSecretCredential
Authenticates a confidential client via the OAuth2 client-credentials flow (POST {authority}/{tenant}/oauth2/v2.0/token).
DefaultAzureCredential
A prebuilt ChainedTokenCredential, in (a subset of) azure_identity’s documented DefaultAzureCredential order.
EnvironmentCredential
Authenticates a service principal configured entirely by environment variables, via the client-secret flow: AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
ManagedIdentityCredential
Authenticates via an Azure Managed Identity by calling the Instance Metadata Service (IMDS) token endpoint (GET {endpoint}?api-version=2018-02-01&resource=<resource> with the Metadata: true header).
StaticTokenCredential
A TokenCredential that always returns the same, pre-fetched token.
WorkloadIdentityCredential
Authenticates via Microsoft Entra Workload ID (Azure Kubernetes Service workload identity federation): exchanges a Kubernetes projected service-account token for an Entra access token using the OAuth2 client-credentials grant with a JWT client assertion (POST {authority}/{tenant}/oauth2/v2.0/token, client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer).

Constants§

DEFAULT_AUTHORITY
The default Entra ID authority (login endpoint) for ClientSecretCredential.
DEFAULT_IMDS_ENDPOINT
The IMDS token endpoint used by ManagedIdentityCredential when no endpoint is configured or discovered from the environment.
REFRESH_SKEW
How long before a token’s stated expiry it is considered stale and proactively refreshed (2 minutes), so an in-flight request never races the exact expiry instant.

Traits§

TokenCredential
Supplies bearer tokens for Microsoft Entra ID authentication.