Implementation:BerriAI Litellm Proxy Auth Credentials

Overview

The proxy_auth/credentials module provides a provider-agnostic interface for obtaining OAuth2/JWT tokens for LiteLLM proxy authentication, with built-in support for Azure AD and generic OAuth2 client credentials flows.

Description

This module contains several components for managing authentication tokens:

• AccessToken - A dataclass representing an OAuth2 access token with a token string and expires_on Unix timestamp. Matches the structure used by azure.core.credentials.AccessToken.

• TokenCredential - A runtime-checkable Protocol that defines the interface for credential providers. Any class implementing get_token(scope) -> AccessToken satisfies this protocol.

• AzureADCredential - A wrapper for Azure Identity credentials. It wraps any azure-identity credential (DefaultAzureCredential, ClientSecretCredential, ManagedIdentityCredential, etc.) and converts tokens to the AccessToken format. If no credential is provided, it lazily initializes DefaultAzureCredential on first use.

• GenericOAuth2Credential - A generic OAuth2 client credentials flow implementation compatible with any OAuth2 provider (Okta, Auth0, Keycloak, etc.). It performs token exchange via HTTP POST to the token URL and caches tokens until they expire (with a 60-second buffer).

• ProxyAuthHandler - Manages the OAuth2/JWT token lifecycle for proxy authentication. It obtains, caches, and automatically refreshes tokens before expiration, and generates Authorization headers for HTTP requests. Assigned to litellm.proxy_auth to inject auth headers into all proxy requests.

Usage

Import the appropriate credential class when you need to authenticate LiteLLM requests against a proxy that requires OAuth2/JWT tokens. Set up a ProxyAuthHandler with your chosen credential provider and assign it to litellm.proxy_auth.

Code Reference

Source Location

litellm/proxy_auth/credentials.py

Signature

@dataclass
class AccessToken:
    token: str
    expires_on: int

@runtime_checkable
class TokenCredential(Protocol):
    def get_token(self, scope: str) -> AccessToken

class AzureADCredential:
    def __init__(self, credential: Optional[Any] = None)
    def get_token(self, scope: str) -> AccessToken

class GenericOAuth2Credential:
    def __init__(self, client_id: str, client_secret: str, token_url: str)
    def get_token(self, scope: str) -> AccessToken

class ProxyAuthHandler:
    def __init__(self, credential: TokenCredential, scope: str)
    def get_token(self) -> AccessToken
    def get_auth_headers(self) -> dict

Import

from litellm.proxy_auth.credentials import (
    AccessToken,
    TokenCredential,
    AzureADCredential,
    GenericOAuth2Credential,
    ProxyAuthHandler,
)

I/O Contract

Inputs

Outputs

Usage Examples

import litellm
from litellm.proxy_auth.credentials import AzureADCredential, ProxyAuthHandler

# Using Azure AD (DefaultAzureCredential)
litellm.proxy_auth = ProxyAuthHandler(
    credential=AzureADCredential(),
    scope="api://my-litellm-proxy/.default",
)
litellm.api_base = "https://my-proxy.example.com"

# Auth headers are now automatically injected
response = litellm.completion(model="gpt-4", messages=[{"role": "user", "content": "Hello"}])

from litellm.proxy_auth.credentials import GenericOAuth2Credential, ProxyAuthHandler

# Using generic OAuth2 (Okta, Auth0, Keycloak, etc.)
cred = GenericOAuth2Credential(
    client_id="my-client-id",
    client_secret="my-client-secret",
    token_url="https://my-idp.com/oauth2/token",
)
handler = ProxyAuthHandler(credential=cred, scope="my-api-scope")
headers = handler.get_auth_headers()
# {'Authorization': 'Bearer eyJ0eXAi...'}

Related Pages

• BerriAI_Litellm_Custom_Auth_Template - Custom API key authentication for the proxy
• BerriAI_Litellm_Custom_SSO_Template - Custom SSO handler for identity provider integration
• BerriAI_Litellm_Custom_Secret_Manager_Base - Secret manager for credential storage