Chat Copilot Security Improvements (#126)

### Motivation and Context
This PR addresses
microsoft/semantic-kernel#1639. It is a
combination of PRs #92 and #110

### Description

#### Backend changes
- Remove API key authorization
- Use "AzureAD" as default authentication configuration for deployments,
"None" for running locally (Note: UI changes to disable sign in flow for
the latter case are still forthcoming)
- Enable auth policy on controllers that checks if the user is part of
the conversation they are trying to access

This PR changes the contract between the frontend and backend around how
user IDs are communicated. Users who have been signing into the frontend
with AAD will now only see their chats if the backend is also gated by
AAD authentication, which was not the case previously.

#### Frontend changes
- adds `REACT_APP_AUTH_TYPE` and changes AAD variables in `.env` to be
optional
- adds `AuthHelper.IsAuthAAD` to conditionally render different elements
throughout the app
- changes user settings menu popup to instead just show as a settings
button:

![image](https://github.com/microsoft/chat-copilot/assets/52973358/342f977d-d011-464d-b122-5eff5f8222ac)

Existing users will need to uncomment `REACT_APP_AUTH_TYPE=AzureAd` in
`webapp/.env` to continue using AAD as their authorization type.


### Contribution Checklist

<!-- Before submitting this PR, please make sure: -->

- [x] The code builds clean without any errors or warnings
- [x] The PR follows the [Contribution
Guidelines](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md)
and the [pre-submission formatting
script](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md#development-scripts)
raises no violations
- [ ] All unit tests pass, and I have added new tests where possible
- [x] I didn't break anyone 😄

---------

Co-authored-by: Desmond Howard <[email protected]>

Author: gitri-ms

.github/workflows/copilot-deploy-environment.yml

@@ -16,12 +16,8 @@ on:
         required: true
       AZURE_SUBSCRIPTION_ID:
         required: true
-      WEB_API_KEY:
-        required: true
       AZURE_OPENAI_ENDPOINT:
         required: true
-      APPLICATION_AUTHORITY:
-        required: true
 
 permissions:
   contents: read
@@ -36,7 +32,6 @@ jobs:
       AZURE_CLIENT_ID: ${{secrets.AZURE_CLIENT_ID}}
       AZURE_TENANT_ID: ${{secrets.AZURE_TENANT_ID}}
       AZURE_SUBSCRIPTION_ID: ${{secrets.AZURE_SUBSCRIPTION_ID}}
-      WEB_API_KEY: ${{secrets.WEB_API_KEY}}
       AZURE_OPENAI_ENDPOINT: ${{secrets.AZURE_OPENAI_ENDPOINT}}
 
   deploy-backend:
@@ -61,4 +56,3 @@ jobs:
       AZURE_CLIENT_ID: ${{secrets.AZURE_CLIENT_ID}}
       AZURE_TENANT_ID: ${{secrets.AZURE_TENANT_ID}}
       AZURE_SUBSCRIPTION_ID: ${{secrets.AZURE_SUBSCRIPTION_ID}}
-      APPLICATION_AUTHORITY: ${{secrets.APPLICATION_AUTHORITY}}

.github/workflows/copilot-deploy-frontend.yml

@@ -16,8 +16,6 @@ on:
         required: true
       AZURE_SUBSCRIPTION_ID:
         required: true
-      APPLICATION_AUTHORITY:
-        required: true
 
 permissions:
   contents: read
@@ -90,4 +88,4 @@ jobs:
 
       - name: Deploy SWA
         run: |
-          scripts/deploy/deploy-webapp.sh --subscription ${{secrets.AZURE_SUBSCRIPTION_ID}} --resource-group ${{vars.CC_DEPLOYMENT_GROUP_NAME}} --deployment-name ${{inputs.DEPLOYMENT_NAME}} --application-id ${{vars.APPLICATION_CLIENT_ID}} --authority ${{secrets.APPLICATION_AUTHORITY}} --no-redirect --version ${{ steps.versiontag.outputs.versiontag }} --version-info "Built from commit ${{ steps.gitversion.outputs.ShortSha }} on $(date +"%Y-%m-%d")"
+          scripts/deploy/deploy-webapp.sh --subscription ${{secrets.AZURE_SUBSCRIPTION_ID}} --resource-group ${{vars.CC_DEPLOYMENT_GROUP_NAME}} --deployment-name ${{inputs.DEPLOYMENT_NAME}} --client-id ${{vars.FRONTEND_CLIENT_ID}} --no-redirect --version ${{ steps.versiontag.outputs.versiontag }} --version-info "Built from commit ${{ steps.gitversion.outputs.ShortSha }} on $(date +"%Y-%m-%d")"

.github/workflows/copilot-deploy-infra.yml

@@ -13,8 +13,6 @@ on:
         required: true
       AZURE_SUBSCRIPTION_ID:
         required: true
-      WEB_API_KEY:
-        required: true
       AZURE_OPENAI_ENDPOINT:
         required: true
     outputs:
@@ -61,4 +59,4 @@ jobs:
           inlineScript: |
             AI_SERVICE_KEY=$(az cognitiveservices account keys list --name ${{vars.AZUREOPENAI__NAME}} --resource-group ${{vars.AZUREOPENAI_DEPLOYMENT_GROUP_NAME}} | jq -r '.key1')
             echo "::add-mask::$AI_SERVICE_KEY"
-            scripts/deploy/deploy-azure.sh --subscription ${{secrets.AZURE_SUBSCRIPTION_ID}} --web-api-key ${{secrets.WEB_API_KEY}} --resource-group ${{vars.CC_DEPLOYMENT_GROUP_NAME}} --deployment-name ${{steps.deployment-id.outputs.deployment_name}} --region ${{vars.CC_DEPLOYMENT_REGION}} --ai-service AzureOpenAI --ai-endpoint ${{secrets.AZURE_OPENAI_ENDPOINT}} --ai-service-key $AI_SERVICE_KEY --app-service-sku ${{vars.WEBAPP_API_SKU}} --no-deploy-package --debug-deployment
+            scripts/deploy/deploy-azure.sh --subscription ${{secrets.AZURE_SUBSCRIPTION_ID}} --resource-group ${{vars.CC_DEPLOYMENT_GROUP_NAME}} --deployment-name ${{steps.deployment-id.outputs.deployment_name}} --region ${{vars.CC_DEPLOYMENT_REGION}} --client-id ${{vars.BACKEND_CLIENT_ID}} --tenant-id ${{secrets.AZURE_TENANT_ID}} --instance ${{vars.AZURE_INSTANCE}} --ai-service AzureOpenAI --ai-endpoint ${{secrets.AZURE_OPENAI_ENDPOINT}} --ai-service-key $AI_SERVICE_KEY --app-service-sku ${{vars.WEBAPP_API_SKU}} --no-deploy-package --debug-deployment

.github/workflows/copilot-deploy-pipeline.yml

@@ -27,9 +27,7 @@ jobs:
       AZURE_CLIENT_ID: ${{secrets.AZURE_CLIENT_ID}}
       AZURE_TENANT_ID: ${{secrets.AZURE_TENANT_ID}}
       AZURE_SUBSCRIPTION_ID: ${{secrets.AZURE_SUBSCRIPTION_ID}}
-      WEB_API_KEY: ${{secrets.WEB_API_KEY}}
       AZURE_OPENAI_ENDPOINT: ${{secrets.AZURE_OPENAI_ENDPOINT}}
-      APPLICATION_AUTHORITY: ${{secrets.APPLICATION_AUTHORITY}}
 
   stable:
     uses: ./.github/workflows/copilot-deploy-environment.yml
@@ -41,6 +39,4 @@ jobs:
       AZURE_CLIENT_ID: ${{secrets.AZURE_CLIENT_ID}}
       AZURE_TENANT_ID: ${{secrets.AZURE_TENANT_ID}}
       AZURE_SUBSCRIPTION_ID: ${{secrets.AZURE_SUBSCRIPTION_ID}}
-      WEB_API_KEY: ${{secrets.WEB_API_KEY}}
       AZURE_OPENAI_ENDPOINT: ${{secrets.AZURE_OPENAI_ENDPOINT}}
-      APPLICATION_AUTHORITY: ${{secrets.APPLICATION_AUTHORITY}}

.vscode/settings.json

@@ -46,6 +46,7 @@
       "**/.hg": true,
       "**/CVS": true,
       "**/.DS_Store": true,
-      "**/Thumbs.db": true
+      "**/Thumbs.db": true,
+      "**.lock": true,
     },
   }

README.md

@@ -17,8 +17,6 @@ You will need the following items to run the sample:
 - [.NET 7.0 SDK](https://dotnet.microsoft.com/download/dotnet/7.0) _(via Setup script)_
 - [Node.js](https://nodejs.org/en/download) _(via Setup script)_
 - [Yarn](https://classic.yarnpkg.com/docs/install) _(via Setup script)_
-- [Azure account](https://azure.microsoft.com/free)
-- [Azure AD Tenant](https://learn.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
 - AI Service
 
 | AI Service   | Requirement                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
@@ -28,13 +26,6 @@ You will need the following items to run the sample:
 
 # Instructions
 
-## Register an application
-
-1. Follow [these instructions](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app) and use the values below:
-   - `Supported account types`: "_Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)_"
-   - `Redirect URI (optional)`: _Single-page application (SPA)_ and use _http://localhost:3000_.
-2. Take note of the `Application (client) ID`. Chat Copilot will use this ID for authentication.
-
 ## Windows
 
 1. Open PowerShell as an administrator.
@@ -52,19 +43,12 @@ You will need the following items to run the sample:
 3. Configure Chat Copilot.
 
    ```powershell
-   .\Configure.ps1 -AIService {AI_SERVICE} -APIKey {API_KEY} -Endpoint {AZURE_OPENAI_ENDPOINT} -ClientId {AZURE_APPLICATION_ID}
+   .\Configure.ps1 -AIService {AI_SERVICE} -APIKey {API_KEY} -Endpoint {AZURE_OPENAI_ENDPOINT}
    ```
 
    - `AI_SERVICE`: `AzureOpenAI` or `OpenAI`.
    - `API_KEY`: The `API key` for Azure OpenAI or for OpenAI.
    - `AZURE_OPENAI_ENDPOINT`: The Azure OpenAI resource `Endpoint` address. Omit `-Endpoint` if using OpenAI.
-   - `AZURE_APPLICATION_ID`: The `Application (client) ID` associated with the registered application.
-
-   - (Optional): To set a specific Tenant Id, use the parameter:
-
-     ```powershell
-     -TenantId {TENANT_ID}
-     ```
 
    - > **IMPORTANT:** For `AzureOpenAI`, if you deployed models `gpt-35-turbo` and `text-embedding-ada-002` with custom names (instead of each own's given name), also use the parameters:
 
@@ -111,19 +95,13 @@ You will need the following items to run the sample:
 3. Configure Chat Copilot.
 
    ```bash
-   ./Configure.sh --aiservice {AI_SERVICE} --apikey {API_KEY} --endpoint {AZURE_OPENAI_ENDPOINT} --clientid {AZURE_APPLICATION_ID}
+   ./Configure.sh --aiservice {AI_SERVICE} --apikey {API_KEY} --endpoint {AZURE_OPENAI_ENDPOINT}
    ```
 
    - `AI_SERVICE`: `AzureOpenAI` or `OpenAI`.
    - `API_KEY`: The `API key` for Azure OpenAI or for OpenAI.
    - `AZURE_OPENAI_ENDPOINT`: The Azure OpenAI resource `Endpoint` address. Omit `--endpoint` if using OpenAI.
-   - `AZURE_APPLICATION_ID`: The `Application (client) ID` associated with the registered application.
 
-   - (Optional): To set a specific Tenant Id, use the parameter:
-
-     ```bash
-     --tenantid {TENANT_ID}
-     ```
 
    - > **IMPORTANT:** For `AzureOpenAI`, if you deployed models `gpt-35-turbo` and `text-embedding-ada-002` with custom names (instead of each own's given name), also use the parameters:
 
@@ -141,27 +119,36 @@ You will need the following items to run the sample:
 
    > NOTE: Confirm pop-ups are not blocked and you are logged in with the same account used to register the application.
 
-## (Optional) Enable backend authorization via Azure AD
+## (Optional) Enable backend authentication via Azure AD
+
+By default, Chat Copilot runs locally without authentication, using a guest user profile. If you want to enable authentication with Azure Active Directory, follow the steps below.
+
+### Requirements
 
-1. Ensure you created the required application registration mentioned in [Register an application](#register-an-application)
+- [Azure account](https://azure.microsoft.com/free)
+- [Azure AD Tenant](https://learn.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
 
-2. Create a second application registration to represent the web api
+### Instructions
 
-   > For more details on creating an application registration, go [here](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
+1. Create an [application registration](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app) for the frontend web app, using the values below
+    - `Supported account types`: "_Accounts in this organizational directory only ({YOUR TENANT} only - Single tenant)_"
+    - `Redirect URI (optional)`: _Single-page application (SPA)_ and use _http://localhost:3000_.
 
-   1. Give the app registration a name
+2. Create a second [application registration](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app) for the backend web api, using the values below:
+    - `Supported account types`: "_Accounts in this organizational directory only ({YOUR TENANT} only - Single tenant)_"
+    - Do **not** configure a `Redirect URI (optional)`
 
-   2. As _Supported account type_ choose `Accounts in any organizational directory and personal Microsoft Accounts`
+> NOTE: Other account types can be used to allow multitenant and personal Microsoft accounts to use your application if you desire. Doing so may result in more users and therefore higher costs.
 
-   3. Do not configure a _Redirect Uri_
+> Take note of the `Application (client) ID` for both app registrations as you will need them in future steps.
 
 3. Expose an API within the second app registration
 
    1. Select _Expose an API_ from the menu
 
    2. Add an _Application ID URI_
 
-      1. This will generate an `api://` URI with a generated for you
+      1. This will generate an `api://` URI
 
       2. Click _Save_ to store the generated URI
 
@@ -193,17 +180,40 @@ You will need the following items to run the sample:
 
    7. Click _Add permissions_
 
-5. Update frontend web app configuration
+5. Run the Configure script with additional parameters to set up authentication.
 
-   1. Open _.env_ file
+    **Powershell**
 
-   2. Set the value of `REACT_APP_AAD_API_SCOPE` to your application ID URI followed by the scope `access_as_user`, e.g. `api://12341234-1234-1234-1234-123412341234/access_as_user`
+    ```powershell
+    .\Configure.ps1 -AiService {AI_SERVICE} -APIKey {API_KEY} -Endpoint {AZURE_OPENAI_ENDPOINT} -FrontendClientId {FRONTEND_APPLICATION_ID} -BackendClientId {BACKEND_APPLICATION_ID} -TenantId {TENANT_ID} -Instance {AZURE_AD_INSTANCE}
+    ```
 
-6. Update backend web api configuration
+    **Bash**
+    ```bash
+    ./Configure.sh --aiservice {AI_SERVICE} --apikey {API_KEY} --endpoint {AZURE_OPENAI_ENDPOINT} --frontend-clientid {FRONTEND_APPLICATION_ID} --backend-clientid {BACKEND_APPLICATION_ID} --tenantid {TENANT_ID} --instance {AZURE_AD_INSTANCE}
+    ```
 
-   1. Open _appsettings.json_
+    - `AI_SERVICE`: `AzureOpenAI` or `OpenAI`.
+    - `API_KEY`: The `API key` for Azure OpenAI or for OpenAI.
+    - `AZURE_OPENAI_ENDPOINT`: The Azure OpenAI resource `Endpoint` address. Omit `-Endpoint` if using OpenAI.
+    - `FRONTEND_APPLICATION_ID`: The `Application (client) ID` associated with the application registration for the frontend.
+    - `BACKEND_APPLICATION_ID`: The `Application (client) ID` associated with the application registration for the backend.
+    - `TENANT_ID` : Your Azure AD tenant ID
+    - `AZURE_AD_INSTANCE` _(optional)_: The Azure AD cloud instance for the authenticating users. Defaults to `https://login.microsoftonline.com`.
 
-   2. Set the value of `Authorization:AzureAd:Audience` to your application ID URI
+6. Run Chat Copilot locally. This step starts both the backend API and frontend application.
+
+    **Powershell**
+
+    ```powershell
+    .\Start.ps1
+    ```
+
+    **Bash**
+
+    ```bash
+    ./Start.sh
+     ```
 
 # Troubleshooting
 

scripts/.env

@@ -6,9 +6,12 @@ ENV_PLANNER_MODEL_OPEN_AI="gpt-3.5-turbo"
 ENV_COMPLETION_MODEL_AZURE_OPEN_AI="gpt-35-turbo"
 ENV_PLANNER_MODEL_AZURE_OPEN_AI="gpt-35-turbo"
 ENV_EMBEDDING_MODEL="text-embedding-ada-002"
-ENV_TENANT_ID="common"
 ENV_ASPNETCORE="Development"
+ENV_INSTANCE="https://login.microsoftonline.com"
 
 # Constants
 ENV_AZURE_OPEN_AI="AzureOpenAI"
 ENV_OPEN_AI="OpenAI"
+ENV_AZURE_AD="AzureAd"
+ENV_NONE="None"
+ENV_SCOPES="access_as_user"