Security: remove API key auth #92
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
webapp
github-actions
bot
added
documentation
gitri-ms
commented
Aug 3, 2023
| @@ -112,8 +112,6 @@ This will get you to the CORS page where you can add your allowed hosts. | |||
|
|
|||
| ## Authorization | |||
| All of endpoints (except `/healthz`) require authorization to access. | |||
| By default, an API key is required for access which can be found in the `Authorization:ApiKey` configuration setting. | |||
There was a problem hiding this comment.
TODO: update this section. Also update deployment commands
gitri-ms
commented
Aug 3, 2023
| [string] | ||
| # Authority for client applications that are not configured as multi-tenant. | ||
| $Authority="https://login.microsoftonline.com/common" | ||
| $Authority = "https://login.microsoftonline.com/common" |
There was a problem hiding this comment.
There is some weirdness here -- the backend expects instance + tenant ID, while the frontend expects authority. However the values need to match. This could be confusing for the user. Perhaps change to make them more consistent (e.g. both use instance + tenant id)?
There was a problem hiding this comment.
What's the format expected from the client side?
gitri-ms
commented
Aug 4, 2023
4 tasks
This was
linked to
issues
Aug 7, 2023
gitri-ms
added
the
PR: breaking change
glahaye
reviewed
Aug 7, 2023
|
|
||
| [string] | ||
| # Azure AD tenant ID for authenticating users | ||
| $AzureAdTenantId = "common", |
There was a problem hiding this comment.
As discussed during bug bash, we might want to not put "common" as the default and force users to provide a tenant
There was a problem hiding this comment.
Yup, I am currently going through and changing all of these
glahaye
reviewed
Aug 7, 2023
| echo " -ai, --ai-service AI_SERVICE_TYPE Type of AI service to use (i.e., OpenAI or AzureOpenAI)" | ||
| echo " -aikey, --ai-service-key AI_SERVICE_KEY API key for existing Azure OpenAI resource or OpenAI account" | ||
| echo " -aiend, --ai-endpoint AI_ENDPOINT Endpoint for existing Azure OpenAI resource" | ||
| echo " -rg, --resource-group RESOURCE_GROUP Resource group to which to make the deployment (default: \"rg-\$DEPLOYMENT_NAME\")" | ||
| echo " -r, --region REGION Region to which to make the deployment (default: \"South Central US\")" | ||
| echo " -wr, --web-app-region WEB_APP_REGION Region to deploy to the static web app into. This must be a region that supports static web apps. (default: \"West US 2\")" | ||
| echo " -a, --app-service-sku WEB_APP_SVC_SKU SKU for the Azure App Service plan (default: \"B1\")" | ||
| echo " -i, --instance AZURE_AD_INSTANCE Azure AD cloud instance for authenticating users" | ||
| echo " (default: \"https://login.microsoftonline.com/\")" | ||
| echo " -t, --tenant-id AZURE_AD_TENANT_ID Azure AD tenant ID for authenticating users (default: \"common\")" |
There was a problem hiding this comment.
Again, might want to make this mandatory...
glahaye
reviewed
Aug 7, 2023
| @@ -171,20 +179,24 @@ az account set -s "$SUBSCRIPTION" | |||
| : "${REGION:="southcentralus"}" | |||
| : "${WEB_APP_SVC_SKU:="B1"}" | |||
| : "${WEB_APP_REGION:="westus2"}" | |||
| : "${AZURE_AD_INSTANCE:="https://login.microsoftonline.com/"}" | |||
| : "${AZURE_AD_TENANT_ID:="common"}" | |||
glahaye
reviewed
Aug 7, 2023
| param azureAdInstance string = environment().authentication.loginEndpoint | ||
|
|
||
| @description('Azure AD tenant ID for authenticating users') | ||
| param azureAdTenantId string = 'common' |
4 tasks
This was
unlinked from
issues
Aug 8, 2023
|
Closing this PR as it is now covered by #126 |
github-merge-queue bot
pushed a commit
that referenced
this pull request
Aug 18, 2023
### Motivation and Context This PR addresses microsoft/semantic-kernel#1639. It is a combination of PRs #92 and #110 ### Description #### Backend changes - Remove API key authorization - Use "AzureAD" as default authentication configuration for deployments, "None" for running locally (Note: UI changes to disable sign in flow for the latter case are still forthcoming) - Enable auth policy on controllers that checks if the user is part of the conversation they are trying to access This PR changes the contract between the frontend and backend around how user IDs are communicated. Users who have been signing into the frontend with AAD will now only see their chats if the backend is also gated by AAD authentication, which was not the case previously. #### Frontend changes - adds `REACT_APP_AUTH_TYPE` and changes AAD variables in `.env` to be optional - adds `AuthHelper.IsAuthAAD` to conditionally render different elements throughout the app - changes user settings menu popup to instead just show as a settings button:  Existing users will need to uncomment `REACT_APP_AUTH_TYPE=AzureAd` in `webapp/.env` to continue using AAD as their authorization type. ### Contribution Checklist <!-- Before submitting this PR, please make sure: --> - [x] The code builds clean without any errors or warnings - [x] The PR follows the [Contribution Guidelines](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md) and the [pre-submission formatting script](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md#development-scripts) raises no violations - [ ] All unit tests pass, and I have added new tests where possible - [x] I didn't break anyone 😄 --------- Co-authored-by: Desmond Howard <[email protected]>
teamleader-dev
pushed a commit
to vlink-group/chat-copilot
that referenced
this pull request
Oct 7, 2024
### Motivation and Context This PR addresses microsoft/semantic-kernel#1639. It is a combination of PRs microsoft#92 and microsoft#110 ### Description #### Backend changes - Remove API key authorization - Use "AzureAD" as default authentication configuration for deployments, "None" for running locally (Note: UI changes to disable sign in flow for the latter case are still forthcoming) - Enable auth policy on controllers that checks if the user is part of the conversation they are trying to access This PR changes the contract between the frontend and backend around how user IDs are communicated. Users who have been signing into the frontend with AAD will now only see their chats if the backend is also gated by AAD authentication, which was not the case previously. #### Frontend changes - adds `REACT_APP_AUTH_TYPE` and changes AAD variables in `.env` to be optional - adds `AuthHelper.IsAuthAAD` to conditionally render different elements throughout the app - changes user settings menu popup to instead just show as a settings button:  Existing users will need to uncomment `REACT_APP_AUTH_TYPE=AzureAd` in `webapp/.env` to continue using AAD as their authorization type. ### Contribution Checklist <!-- Before submitting this PR, please make sure: --> - [x] The code builds clean without any errors or warnings - [x] The PR follows the [Contribution Guidelines](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md) and the [pre-submission formatting script](https://github.com/microsoft/copilot-chat/blob/main/CONTRIBUTING.md#development-scripts) raises no violations - [ ] All unit tests pass, and I have added new tests where possible - [x] I didn't break anyone 😄 --------- Co-authored-by: Desmond Howard <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation and Context
This PR addresses microsoft/semantic-kernel#1639
Description
Breaking change: This PR changes the contract between the frontend and backend around how user IDs are communicated. Users who have been signing into the frontend with AAD will now only see their chats if the backend is also gated by AAD authentication, which was not the case previously.
Contribution Checklist