Open cccs-eric opened 5 months ago
@cccs-eric has there been any progress to support this enhancement? I'm interested in implementing something similar, what has worked for you in the meantime?
Not that I know of. We have been using shared keys for the tiem being, which is not ideal. 😞
Validations
Problem
As of now, the only supported way to authenticate to an Azure OpenAI endpoint in Continue is by using an API key. This works well for OpenAI where each user has its own API key, but in Azure, we are limited to 2 keys per endpoint. We have to share those keys with pretty much everyone in the organization and it is impossible to audit users since API key are not bound to user identities. A much better way to audit and control access to the Azure OpenAI endpoint is to authenticate the user using one of the many ways supported by Azure. It would be nice if we could configure Continue to use something else than API keys to access an Azure OpenAI endpoint.
Solution
Azure supports a few ways to authenticate a user, an application or a principal. Fortunately, Azure provides a convenient Javacript library named azure-identity. Using this, we can request an OAuth2 access token that we can use as a
Bearer
token when accessing the OpenAI endpoint. In other words, this access token becomes your temporary, personal API key.Via DefaultAzureCredential, Microsoft provides a chain of
TokenCredential
classes that you can use to easily find an authentication method that is suitable to you. Under the hood, this class is configured to try a few predefined Credential classes until one works, but it is possible to bypass this method and use a specific Credential instance, or even provide your own.I was able to make it work using
DefaultAzureCredential
, but I would need some guidance on how to make it fit nicely in the current codebase. For my use-case, I would also need to be able to provide my own implementation ofTokenCredential
since we have a custom requirement foruser-impersonation
using an external vault. The details of this is irrelevant to this issue, beside the fact that I'll need a way to provide my own custom implementation.Does this ask seem reasonable, and inline with Continue's authentication philosophy?