Refresh callable Azure API keys before requests

[LittleChenLiya]

Summary

Fix Azure clients so callable api_key providers are refreshed before each request.

AzureOpenAI and AsyncAzureOpenAI override _prepare_options() to add Azure-specific auth headers, but they were not refreshing callable API keys before setting the api-key header. As a result, dynamic API key providers were not applied to requests or retries.

Changes

• refresh callable API keys at the start of AzureOpenAI._prepare_options()
• refresh callable API keys at the start of AsyncAzureOpenAI._prepare_options()
• add sync and async regression tests covering callable api_key providers across retries

Testing

• python -m pytest tests/lib/test_azure.py -n 0
• python -m pytest tests/test_client.py -k "api_key_before_after_refresh or api_key_refresh_on_retry or bearer_token_refresh_async" -n 0

Closes #2626

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1a67dbb199

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Gate API key refresh behind API-key auth path

Calling self._refresh_api_key() unconditionally in Azure _prepare_options() now executes user-provided api_key callables even when the request is authenticated via azure_ad_token/azure_ad_token_provider (the token branch still takes precedence immediately after). This creates a regression for clients that provide both credentials: a failing or slow API-key provider can now break or delay requests that previously succeeded with Azure AD auth; the same pattern is present in the async override as well.

Useful? React with 👍 / 👎.

[LittleChenLiya]

Thanks, this makes sense. I'll update the implementation so callable API keys are only refreshed when the request actually falls back to API-key auth, and I'll add coverage for the Azure AD token path as well.

[LittleChenLiya]

Thanks, updated this so callable API keys are only refreshed on the API-key auth path. I also added sync and async regression tests to cover the Azure AD token path and ensure the API key provider is not called when AD auth is used.