Expand description
§agent-framework-azure
An Azure OpenAI ChatClient for agent-framework-rs, supporting both
static API-key and Microsoft Entra ID (OAuth bearer token) authentication.
Azure OpenAI’s Chat Completions wire format is identical to OpenAI’s, so
request/response conversion is reused from
[agent_framework_openai::convert] rather than duplicated — only the URL
shape ({endpoint}/openai/deployments/{deployment}/chat/completions) and
authentication differ.
use agent_framework_azure::AzureOpenAIClient;
use agent_framework_core::prelude::*;
let client = AzureOpenAIClient::new(
"https://my-resource.openai.azure.com",
"my-gpt4o-deployment",
"my-api-key",
);
let agent = Agent::builder(client)
.instructions("You are concise.")
.build();
let reply = agent.run_once("Say hi").await?;
println!("{}", reply.text());Entra ID (bearer token) authentication instead of a static key:
use std::sync::Arc;
use agent_framework_azure::{AzureOpenAIClient, StaticTokenCredential};
let credential = Arc::new(StaticTokenCredential::new("eyJ0eXAi..."));
let client = AzureOpenAIClient::with_token_credential(
"https://my-resource.openai.azure.com",
"my-gpt4o-deployment",
credential,
);A real Microsoft Entra ID credential chain — try a managed identity, then a client secret, then the Azure CLI, whichever succeeds first (each caches and refreshes tokens for the configured scope):
use std::sync::Arc;
use agent_framework_azure::{
AzureCliCredential, ChainedTokenCredential, ClientSecretCredential,
ManagedIdentityCredential, TokenCredential,
};
let scope = "https://cognitiveservices.azure.com/.default";
let chain = ChainedTokenCredential::new(vec![
Arc::new(ManagedIdentityCredential::new(scope)),
Arc::new(ClientSecretCredential::new("tenant", "client", "secret", scope)),
Arc::new(AzureCliCredential::new(scope)),
]);
let token = chain.get_token().await?;Re-exports§
pub use embeddings::AzureOpenAIEmbeddingClient;pub use responses::AzureOpenAIResponsesClient;
Modules§
- embeddings
- Azure OpenAI embeddings client.
- responses
AzureOpenAIResponsesClient: aChatClientfor the Responses API on Azure OpenAI (POST {endpoint}/openai/v1/responses).
Structs§
- Azure
CliCredential - Authenticates by shelling out to the Azure CLI
(
az account get-access-token --scope <scope> --output json). - Azure
OpenAI Client - An Azure OpenAI chat client
(
POST {endpoint}/openai/deployments/{deployment}/chat/completions). - Chained
Token Credential - Tries a sequence of credentials in order, returning the first token
obtained. The index of the first credential to succeed is remembered and
tried first on subsequent calls (re-remembered if a different one later
wins), mirroring
azure_identity’sChainedTokenCredential. - Client
Secret Credential - Authenticates a confidential client via the OAuth2 client-credentials flow
(
POST {authority}/{tenant}/oauth2/v2.0/token). - Default
Azure Credential - A prebuilt
ChainedTokenCredential, in (a subset of)azure_identity’s documentedDefaultAzureCredentialorder. - Environment
Credential - Authenticates a service principal configured entirely by environment
variables, via the client-secret flow:
AZURE_TENANT_ID,AZURE_CLIENT_ID,AZURE_CLIENT_SECRET. - Managed
Identity Credential - Authenticates via an Azure Managed Identity by calling the Instance Metadata
Service (IMDS) token endpoint
(
GET {endpoint}?api-version=2018-02-01&resource=<resource>with theMetadata: trueheader). - Static
Token Credential - A
TokenCredentialthat always returns the same, pre-fetched token. - Workload
Identity Credential - Authenticates via Microsoft Entra Workload ID (Azure Kubernetes Service
workload identity federation): exchanges a Kubernetes projected
service-account token for an Entra access token using the OAuth2
client-credentials grant with a JWT client assertion
(
POST {authority}/{tenant}/oauth2/v2.0/token,client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer).
Constants§
- DEFAULT_
AUTHORITY - The default Entra ID authority (login endpoint) for
ClientSecretCredential. - DEFAULT_
IMDS_ ENDPOINT - The IMDS token endpoint used by
ManagedIdentityCredentialwhen no endpoint is configured or discovered from the environment. - REFRESH_
SKEW - How long before a token’s stated expiry it is considered stale and proactively refreshed (2 minutes), so an in-flight request never races the exact expiry instant.
Traits§
- Token
Credential - Supplies bearer tokens for Microsoft Entra ID authentication.