Use entra app id and certificate for authentication (#8262)

raych1 · web-flow · commit d5b8343efd54 · 2024-05-21T11:25:23.000+08:00
* Use certificate for bot authentication

* Updated deployment template
diff --git a/tools/sdk-ai-bots/AzureSdkQaBot/.editorconfig b/tools/sdk-ai-bots/AzureSdkQaBot/.editorconfig
@@ -338,3 +338,6 @@ csharp_style_prefer_primary_constructors = true:suggestion
 
 # CS8618: Non-nullable field must contain a non-null value when exiting constructor. Consider declaring as nullable.
 dotnet_diagnostic.CS8618.severity = none
+
+# CS8604: Possible null reference argument.
+dotnet_diagnostic.CS8604.severity = none
diff --git a/tools/sdk-ai-bots/AzureSdkQaBot/AzureSdkQaBot.csproj b/tools/sdk-ai-bots/AzureSdkQaBot/AzureSdkQaBot.csproj
@@ -13,7 +13,9 @@
   <ItemGroup>
     <PackageReference Include="AdaptiveCards" Version="3.0.0" />
     <PackageReference Include="AdaptiveCards.Templating" Version="1.4.0" />
+    <PackageReference Include="Azure.Identity" Version="1.11.2" />
     <PackageReference Include="Azure.Monitor.OpenTelemetry.AspNetCore" Version="1.1.0" />
+    <PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.6.0" />
     <PackageReference Include="Microsoft.Bot.Builder" Version="4.20.0" />
     <PackageReference Include="Microsoft.Bot.Builder.Integration.AspNet.Core" Version="4.20.0" />
     <PackageReference Include="Microsoft.Bot.Connector" Version="4.20.0" />
diff --git a/tools/sdk-ai-bots/AzureSdkQaBot/Config.cs b/tools/sdk-ai-bots/AzureSdkQaBot/Config.cs
@@ -5,6 +5,8 @@ public class ConfigOptions
         public string? BOT_ID { get; set; }
         public string? BOT_PASSWORD { get; set; }
         public string? GITHUB_TOKEN { get; set; }
+        public string? KeyVaultUrl { get; set; }
+        public string? CertificateName { get; set; }
         public OpenAIConfigOptions? OpenAI { get; set; }
         public AzureConfigOptions? Azure { get; set; }
         public CognitiveSearchOptions? Search { get; set; }
diff --git a/tools/sdk-ai-bots/AzureSdkQaBot/Program.cs b/tools/sdk-ai-bots/AzureSdkQaBot/Program.cs
@@ -12,6 +12,8 @@
 using Microsoft.SemanticKernel.Connectors.Memory.AzureCognitiveSearch;
 using AzureSdkQaBot.Model;
 using Octokit;
+using Azure.Identity;
+using Azure.Security.KeyVault.Certificates;
 
 var builder = WebApplication.CreateBuilder(args);
 
@@ -21,9 +23,44 @@
 
 // Prepare Configuration for ConfigurationBotFrameworkAuthentication
 var config = builder.Configuration.Get<ConfigOptions>()!;
-builder.Configuration["MicrosoftAppType"] = "MultiTenant";
-builder.Configuration["MicrosoftAppId"] = config.BOT_ID;
-builder.Configuration["MicrosoftAppPassword"] = config.BOT_PASSWORD;
+
+
+// Access key vault
+if (string.IsNullOrEmpty(config.KeyVaultUrl))
+{
+    throw new Exception("KeyVaultUrl is not set in the configuration.");
+}
+
+System.Security.Cryptography.X509Certificates.X509Certificate2? certificate = null;
+try
+{
+    CertificateClient client = new(vaultUri: new Uri(config.KeyVaultUrl), credential: new DefaultAzureCredential());
+    if (client == null)
+    {
+        throw new Exception($"Failed to create KeyVault client for {config.KeyVaultUrl}");
+    }
+
+
+    //Get certificate in X509Certificate format
+    if (string.IsNullOrEmpty(config.CertificateName))
+    {
+        throw new Exception("CertificateName is not set in the configuration.");
+    }
+    string certificateName = config.CertificateName;
+    certificate = client.DownloadCertificate(certificateName).Value;
+
+    if (certificate == null)
+    {
+        throw new Exception($"Certificate {certificateName} not found in KeyVault {config.KeyVaultUrl}");
+    }
+}
+catch (Exception ex)
+{
+    throw new Exception($"Failed to get certificate {config.CertificateName} from KeyVault {config.KeyVaultUrl}", ex);
+}
+
+// Create the ClientCredentialsFactory to user certificate authentication
+builder.Services.AddSingleton<ServiceClientCredentialsFactory>((e) => new CertificateServiceClientCredentialsFactory(certificate, config.BOT_ID, "72f988bf-86f1-41af-91ab-2d7cd011db47"));
 
 // Create the Bot Framework Authentication to be used with the Bot Adapter.
 builder.Services.AddSingleton<BotFrameworkAuthentication, ConfigurationBotFrameworkAuthentication>();
@@ -86,7 +123,7 @@
     IPlanner<AppState> planner = new AzureOpenAIPlanner<AppState>(sp.GetService<AzureOpenAIPlannerOptions>(), loggerFactory.CreateLogger<AzureOpenAIPlanner<AppState>>());
     //IModerator<AppState> moderator = new AzureContentSafetyModerator<AppState>(sp.GetService<AzureContentSafetyModeratorOptions>(), loggerFactory.CreateLogger<AzureContentSafetyModerator<AppState>>());
 
-    ApplicationOptions<AppState, AppStateManager> applicationOptions = new ApplicationOptions<AppState, AppStateManager>()
+    ApplicationOptions<AppState, AppStateManager> applicationOptions = new()
     {
         AI = new AIOptions<AppState>(planner, promptManager)
         {
diff --git a/tools/sdk-ai-bots/AzureSdkQaBot/appsettings.json b/tools/sdk-ai-bots/AzureSdkQaBot/appsettings.json
@@ -10,6 +10,8 @@
   "BOT_PASSWORD": "${botPassword}",
   "GITHUB_TOKEN": "",
   "APPLICATIONINSIGHTS_CONNECTION_STRING": "",
+  "KeyVaultUrl": "https://kv-sdk-tools-test.vault.azure.net",
+  "CertificateName": "AzureSDK-AI-Bot",
   "OpenAI": {
     "ApiKey": ""
   },
diff --git a/tools/sdk-ai-bots/AzureSdkQaBot/infra/azure.bicep b/tools/sdk-ai-bots/AzureSdkQaBot/infra/azure.bicep
@@ -36,6 +36,8 @@ param location string = resourceGroup().location
 
 param azureEmbeddingModelDeploymentName string
 param azureChatModelDeploymentName string
+param keyVaultUrl string
+param certificateName string
 
 @secure()
 param searchServiceUrl string
@@ -77,6 +79,10 @@ resource webApp 'Microsoft.Web/sites@2021-02-01' = {
           name: 'RUNNING_ON_AZURE'
           value: '1'
         }
+        {
+          name: 'WEBSITE_LOAD_USER_PROFILE'
+          value: '1'
+        }
         {
           name: 'BOT_ID'
           value: botAadAppClientId
@@ -129,6 +135,14 @@ resource webApp 'Microsoft.Web/sites@2021-02-01' = {
           name: 'APPLICATIONINSIGHTS_CONNECTION_STRING'
           value: appInsightConnectionString
         }
+        {
+          name: 'KeyVaultUrl'
+          value: keyVaultUrl
+        }
+        {
+          name: 'CertificateName'
+          value: certificateName
+        }
       ]
       ftpsState: 'FtpsOnly'
     }
diff --git a/tools/sdk-ai-bots/AzureSdkQaBot/infra/azure.parameters.json b/tools/sdk-ai-bots/AzureSdkQaBot/infra/azure.parameters.json
@@ -49,6 +49,12 @@
     },
     "appInsightConnectionString": {
       "value": "${{SECRET_APP_INSIGHT_CONNECTION_STRING}}"
+    },
+    "keyVaultUrl": {
+      "value": "${{KEYVAULT_URL}}"
+    },
+    "certificateName": {
+      "value": "${{CERTIFICATE_NAME}}"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,12 @@`
`49`	`49`	`},`
`50`	`50`	`"appInsightConnectionString": {`
`51`	`51`	`"value": "${{SECRET_APP_INSIGHT_CONNECTION_STRING}}"`
	`52`	`+ },`
	`53`	`+ "keyVaultUrl": {`
	`54`	`+ "value": "${{KEYVAULT_URL}}"`
	`55`	`+ },`
	`56`	`+ "certificateName": {`
	`57`	`+ "value": "${{CERTIFICATE_NAME}}"`
`52`	`58`	`}`
`53`	`59`	`}`
`54`	`60`	`}`