Add BearerToken Support to Python Open AI#166
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds On-Behalf-Of (OBO) authentication support to the Python OpenAI sample agent, making agentic authentication optional and introducing bearer token-based authentication as an alternative for development and testing scenarios.
Changes:
- Made agentic authentication configurable via
USE_AGENTIC_AUTHenvironment variable - Added support for OBO authentication using bearer tokens via
BEARER_TOKENenvironment variable - Implemented three authentication scenarios: Agentic Auth (production), OBO with bearer token (development/testing), and bare LLM mode (no authentication)
- Added clear logging messages to indicate which authentication mode is active
- Improved error handling with graceful fallback to bare LLM mode when MCP server setup fails
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| python/openai/sample-agent/host_agent_server.py | Conditionalizes agentic authentication setup based on environment variable; only exchanges tokens when agentic auth is enabled |
| python/openai/sample-agent/agent.py | Adds three-scenario authentication logic for MCP server connections with informative logging and fallback behavior |
Josina20
reviewed
Jan 21, 2026
pontemonti
reviewed
Jan 21, 2026
pontemonti
reviewed
Jan 21, 2026
pontemonti
reviewed
Jan 21, 2026
pontemonti
reviewed
Jan 21, 2026
pontemonti
reviewed
Jan 21, 2026
When MCP tool loading fails (e.g., due to authentication issues in CI/CD), the agent now continues without tools rather than throwing an exception. This allows the agent to still respond to basic queries using just the LLM.
Changes: - Remove USE_AGENTIC_AUTH flag, use AUTH_HANDLER_NAME instead - Fix terminology: 'bearer token from config' instead of 'OBO' - Add explicit SKIP_MCP_SERVERS flag for running without tools - Implement proper priority: bearer_token > auth_handler > skip > localhost - Fix comments about auth handler requirements - Always configure auth handlers when AUTH_HANDLER_NAME is set
The previous change broke E2E tests because AGENTIC auth handler was being used by default but not configured in the test environment. Now defaults to no auth handler - users must explicitly set AUTH_HANDLER_NAME=AGENTIC for production agentic authentication.
Instead of throwing errors to the user when MCP servers fail to connect, the agent now gracefully falls back to bare LLM mode. This allows the agent to still respond to basic queries even without MCP tools. Simplified priority logic: 1. SKIP_MCP_SERVERS=true - explicitly skip MCP 2. BEARER_TOKEN - use token from config 3. AUTH_HANDLER_NAME - use agentic auth 4. No auth - skip MCP gracefully (log warning) Any MCP connection errors are caught and logged, allowing the agent to continue operating with just the base LLM capabilities.
pontemonti
reviewed
Jan 21, 2026
mrunalhirve128
previously approved these changes
Jan 22, 2026
pontemonti
approved these changes
Jan 23, 2026
mrunalhirve128
approved these changes
Jan 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.