search

Azure-Samples / azure-search-openai-demo

A sample app for the Retrieval-Augmented Generation pattern running in Azure, using Azure AI Search for retrieval and Azure OpenAI large language models to power ChatGPT-style and Q&A experiences.
https://azure.microsoft.com/products/search
MIT License
5.57k stars 3.74k forks source link

Changing from user.read to OIDC #1695

Open RobSch1406 opened 2 weeks ago

RobSch1406 commented 2 weeks ago

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [ x ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Any log messages given by the failure

Traceback (most recent call last): File "/tmp/8dc863569d0743f/core/authentication.py", line 251, in get_auth_claims_if_enabled auth_claims["groups"] = await AuthenticationHelper.list_groups(graph_resource_access_token) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/tmp/8dc863569d0743f/core/authentication.py", line 198, in list_groups raise AuthError(error=json.dumps(resp_json), status_code=resp_status) core.authentication.AuthError: {"error": {"code": "Authorization_RequestDenied", "message": "Insufficient privileges to complete the operation.", "innerError":....

azd version?

run azd version and copy paste here. azd version 1.9.3

I am trying to activate the upload feature. In order to be able to use the authentication approved by our admins I need to change from API Permission user.read to OpenID Connect (OIDC) standards using the following scopes:

openid (mandatory)
email (optional, provide the users primary email address)
profile (optional, profile information last surname, given name etc)

while I now do have admin consent beeing granted I still receive an issue 500 due to missing auth .... As far as I understood the above mentioned log, it is trying to read some "groups"... For what is this used?

How can I use OIDC ? can someone support?

Thanks upfront!

mattgotteiner commented 2 weeks ago

The groups are for group acls. If you don't want to use groups for access control you can safely remove this permission, but you also need to remove the code that calls the Microsoft Graph API that reads the groups.

https://github.com/Azure-Samples/azure-search-openai-demo/blob/e2d6ca356662d9e0c3cf2b4f10dca41db4b83de5/app/backend/core/authentication.py#L180