Open dfberry opened 9 months ago
The user shouldn't need to log in or log out. You can try the same sample without easy-auth by running it locally. An integrated authorization system will be used instead. This will allow you to see if easy auth is the issue
https://github.com/Azure-Samples/azure-search-openai-demo?tab=readme-ov-file#running-locally
Another thing you can try when you are at a login page that is stuck for a long time is to open developer tools and see if there are any network errors. We have previously had issues with CORS not working for easy auth which had the same symptom of a "stuck login page".
I checked in a PR which might help with any refresh issues - but i'm still curious if this is reproducible without using easy-auth at all
For repro - I'm stuck with this error. I'm sure is transient. I'll try later today or tomorrow.
vscode ➜ /workspaces/azure-search-openai-demo (main) $ azd up
Packaging services (azd package)
up to date, audited 260 packages in 504ms
found 0 vulnerabilities
|==== | Packaging service backend
> frontend@0.0.0 build
> tsc && vite build
| =| Packaging service backendvite v4.5.1 building for production...
✓ 4200 modules transformed.
../backend/static/index.html 0.76 kB │ gzip: 0.38 kB
../backend/static/assets/github-fab00c2d.svg 0.96 kB │ gzip: 0.52 kB
../backend/static/assets/OneShot-daa12333.css 0.83 kB │ gzip: 0.39 kB
../backend/static/assets/index-54ce2544.css 7.28 kB │ gzip: 2.25 kB
../backend/static/assets/NoPage-ea4b1efc.js 0.18 kB │ gzip: 0.18 kB │ map: 0.35 kB
../backend/static/assets/OneShot-efb8c1be.js 4.87 kB │ gzip: 2.06 kB │ map: 20.88 kB
../backend/static/assets/fluentui-icons-e67e11a4.js 5.67 kB │ gzip: 2.56 kB │ map: 4,322.77 kB
../backend/static/assets/index-67467094.js 24.98 kB │ gzip: 8.86 kB │ map: 97.05 kB
../backend/static/assets/fluentui-react-63b3d3f8.js 337.68 kB │ gzip: 95.10 kB │ map: 1,480.88 kB
../backend/static/assets/vendor-7810ac01.js 1,687.91 kB │ gzip: 535.89 kB │ map: 5,151.39 kB
(!) Some chunks are larger than 500 kBs after minification. Consider:
- Using dynamic import() to code-split the application
- Use build.rollupOptions.output.manualChunks to improve chunking: https://rollupjs.org/configuration-options/#output-manualchunks
- Adjust chunk size limit for this warning via build.chunkSizeWarningLimit.
✓ built in 12.58s
(✓) Done: Packaging service backend
- Package Output: /tmp/azure-search-openai-demo-backend-azddeploy-1704838601.zip
Checking if authentication should be setup...
Loading azd .env file from current environment...
AZURE_USE_AUTHENTICATION is set, proceeding with authentication setup...
Creating Python virtual environment "scripts/.venv"...
Installing dependencies from "requirements.txt" into virtual environment (in quiet mode)...
Setting up authentication...
AzureDeveloperCliCredential.get_token failed: {"type":"consoleMessage","timestamp":"2024-01-09T22:16:45.567059636Z","data":{"message":"fetching token: failed to authenticate: unable to resolve an endpoint: http call(https://login.microsoftonline.com/51397421-87d6-42c1-8bab-98305329d7/v2.0/.well-known/openid-configuration)(GET) error: reply status code was 400:\n{\"error\":\"invalid_tenant\",\"error_description\":\"AADSTS90002: Tenant '51397421-87d6-42c1-8bab-98305329d7' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace ID: 2d54dde4-74b4-4786-94eb-179a44b6c200 Correlation ID: 7612dab3-ea02-4e08-9ace-d6b1a03665e7 Timestamp: 2024-01-09 22:16:45Z\",\"error_codes\":[90002],\"timestamp\":\"2024-01-09 22:16:45Z\",\"trace_id\":\"2d54dde4-74b4-4786-94eb-179a44b6c200\",\"correlation_id\":\"7612dab3-ea02-4e08-9ace-d6b1a03665e7\",\"error_uri\":\"https://login.microsoftonline.com/error?code=90002\"}\n"}}
Traceback (most recent call last):
File "/workspaces/azure-search-openai-demo/./scripts/auth_init.py", line 206, in <module>
asyncio.run(main())
File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run
return runner.run(main)
^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "/workspaces/azure-search-openai-demo/./scripts/auth_init.py", line 178, in main
auth_headers = await get_auth_headers(credential)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/azure-search-openai-demo/scripts/auth_common.py", line 11, in get_auth_headers
token_result = await credential.get_token("https://graph.microsoft.com/.default")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/azure-search-openai-demo/scripts/.venv/lib/python3.11/site-packages/azure/identity/aio/_internal/decorators.py", line 21, in wrapper
token = await fn(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/azure-search-openai-demo/scripts/.venv/lib/python3.11/site-packages/azure/identity/aio/_credentials/azd_cli.py", line 130, in get_token
output = await _run_command(command, self._process_timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/azure-search-openai-demo/scripts/.venv/lib/python3.11/site-packages/azure/identity/aio/_credentials/azd_cli.py", line 195, in _run_command
raise ClientAuthenticationError(message=message)
azure.core.exceptions.ClientAuthenticationError: {"type":"consoleMessage","timestamp":"2024-01-09T22:16:45.567059636Z","data":{"message":"fetching token: failed to authenticate: unable to resolve an endpoint: http call(https://login.microsoftonline.com/51397421-87d6-42c1-8bab-98305329d7/v2.0/.well-known/openid-configuration)(GET) error: reply status code was 400:\n{\"error\":\"invalid_tenant\",\"error_description\":\"AADSTS90002: Tenant '51397421-87d6-42c1-8bab-98305329d7' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace ID: 2d54dde4-74b4-4786-94eb-179a44b6c200 Correlation ID: 7612dab3-ea02-4e08-9ace-d6b1a03665e7 Timestamp: 2024-01-09 22:16:45Z\",\"error_codes\":[90002],\"timestamp\":\"2024-01-09 22:16:45Z\",\"trace_id\":\"2d54dde4-74b4-4786-94eb-179a44b6c200\",\"correlation_id\":\"7612dab3-ea02-4e08-9ace-d6b1a03665e7\",\"error_uri\":\"https://login.microsoftonline.com/error?code=90002\"}\n"}}
ERROR: failed running pre hooks: 'preprovision' hook failed with exit code: '1', Path: './scripts/auth_init.sh'. : exit code: 1
Repro steps in local mac m1 dev container - not complete yet:
git reset -- hard upstream/main
or git pull upstream main
azd auth login
azd up
az login
az account show
-> get userID and TenantIDazd env set AZURE_USE_AUTHENTICATION true
azd env set AZURE_AUTH_TENANT_ID <TENANT_ID
azd up
to turn on easy authWhich plan should I use if I travel frequently
Docs aren't locked down yet but website requires auth.
bash ./scripts/manageacl.sh --acl-action enable_acls
bash ./scripts/manageacl.sh --document Benefit_Options.pdf --acl-type oids --acl-action add --acl <userid>
bash ./scripts/manageacl.sh --document Benefit_Options.pdf --acl-type oids --acl-action view
/.auth/me
Are you using the same tenant for both auth and your app? It might help to explicitly set AZURE_TENANT_ID
to the tenant your app is running in.
I can't reproduce. If I hit it again I'll try to capture more details.
I set up the user auth and document level access control but this took a lot longer than I thought. I stayed on the web page after authenticating. The website didn't tell me that my token was expired or that I needed to login again.
Once I adde by user to the Benefit_Options.pdf with the manageacl.sp1 script and verified the acl was on that doc, I went back to the website and clicked on the first card (which has to do with benefit options). I got an auth error. Since I've worked on AAD auth before with easy auth, I assumed it was an expired token so I logged out and logged back in then tried the card and got the answer instead of the error.
This feels like it is an issue with the App Service easy auth not refreshing the token behind the scenes. Is there code the repo to fresh the auth token? Or do I as the user need to logout/login manually after I'm given permissions to a specific PDF in Azure Search?