I’m getting an authentication error when trying to use the file upload feature after enabling specific configuration settings. The error shows:
File "/usr/local/lib/python3.11/site-packages/openai/_base_client.py", line 1510, in request
return await self._request(
File "/usr/local/lib/python3.11/site-packages/openai/_base_client.py", line 1611, in _request
raise self._make_status_error_from_response(err.response) from None
openai.AuthenticationError: Error code: 401 - {'statusCode': 401, 'message': 'Unauthorized. Access token is missing, invalid, audience is incorrect, or have expired.'}
I executed these configuration commands before the issue started:
azd env set AZURE_USE_AUTHENTICATION true
python ./scripts/manageacl.py --acl-action enable_acls
azd env set AZURE_ENFORCE_ACCESS_CONTROL true
azd env set AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS true
azd env set AZURE_ENABLE_UNAUTHENTICATED_ACCESS true
azd env set USE_USER_UPLOAD true
The upload feature worked fine before applying these settings. Has anyone encountered this authentication issue when enabling these environment variables? What could be causing the token validation to fail?
Those environment variables create an auth chain that needs proper token flow, but your OpenAI client is probably still using the old auth method. I hit this exact issue - enabling authentication changes the expected token audience, but the client wasn’t set up for Azure’s token validation. Check that your client’s base URL uses the Azure OpenAI endpoint format, not the standard OpenAI one. Also make sure your token has the right scope for Azure OpenAI service - that audience mismatch error means your token isn’t issued for the correct resource. Try setting AZURE_USE_AUTHENTICATION back to false temporarily to confirm this is the problem, then fix your client config.
Your authentication settings are conflicting with each other. You’ve enabled AZURE_USE_AUTHENTICATION true and AZURE_ENFORCE_ACCESS_CONTROL true, but you also have AZURE_ENABLE_UNAUTHENTICATED_ACCESS true. This creates a contradiction where the system requires authentication while also permitting unauthenticated access. I experienced a similar issue when I mistakenly mixed these modes. Start by disabling AZURE_ENABLE_UNAUTHENTICATED_ACCESS to enforce proper authentication. Additionally, ensure that your client is sending the correct bearer token in the Authorization header, as the 401 error typically indicates an issue with the token’s format or audience matching Azure’s expectations.
i think the acl script messed up the token permissions. running manageacl.py --acl-action enable_acls mightve changed your access settings. try disabling acls first, then re-enable them to reset everything. had the same prob once.
Classic issue - your OpenAI client config doesn’t match the new auth setup. You flipped AZURE_USE_AUTHENTICATION to true, so now it wants Azure AD tokens, but your client’s still trying to use the old API key method. Hit this same problem last month switching from API keys to managed identity. You need to update your client initialization code to use Azure AD auth instead of API keys. Look for DefaultAzureCredential or whatever token provider you’re using for Azure auth. That missing audience error also means your token isn’t scoped right for the OpenAI resource.
sounds like a token misconfigure issue. when u enabled AZURE_USE_AUTHENTICATION true, it probably changed how the api validates tokens. check if your openai client is still using the right endpoint and auth headers after those changes. I had a similar prob and had to update the token scope.