Is App Service easy auth token refresh working?

[dfberry]

I set up the user auth and document level access control but this took a lot longer than I thought. I stayed on the web page after authenticating. The website didn't tell me that my token was expired or that I needed to login again.

Once I adde by user to the Benefit_Options.pdf with the manageacl.sp1 script and verified the acl was on that doc, I went back to the website and clicked on the first card (which has to do with benefit options). I got an auth error. Since I've worked on AAD auth before with easy auth, I assumed it was an expired token so I logged out and logged back in then tried the card and got the answer instead of the error.

This feels like it is an issue with the App Service easy auth not refreshing the token behind the scenes. Is there code the repo to fresh the auth token? Or do I as the user need to logout/login manually after I'm given permissions to a specific PDF in Azure Search?

[mattgotteiner]

The user shouldn't need to log in or log out. You can try the same sample without easy-auth by running it locally. An integrated authorization system will be used instead. This will allow you to see if easy auth is the issue

https://github.com/Azure-Samples/azure-search-openai-demo?tab=readme-ov-file#running-locally

[mattgotteiner]

Another thing you can try when you are at a login page that is stuck for a long time is to open developer tools and see if there are any network errors. We have previously had issues with CORS not working for easy auth which had the same symptom of a "stuck login page".

[mattgotteiner]

I checked in a PR which might help with any refresh issues - but i'm still curious if this is reproducible without using easy-auth at all

#1117

[dfberry]

For repro - I'm stuck with this error. I'm sure is transient. I'll try later today or tomorrow.

vscode ➜ /workspaces/azure-search-openai-demo (main) $ azd up

Packaging services (azd package)


up to date, audited 260 packages in 504ms

found 0 vulnerabilities
  |====   | Packaging service backend
> frontend@0.0.0 build
> tsc && vite build

  |      =| Packaging service backendvite v4.5.1 building for production...
✓ 4200 modules transformed.
../backend/static/index.html                             0.76 kB │ gzip:   0.38 kB
../backend/static/assets/github-fab00c2d.svg             0.96 kB │ gzip:   0.52 kB
../backend/static/assets/OneShot-daa12333.css            0.83 kB │ gzip:   0.39 kB
../backend/static/assets/index-54ce2544.css              7.28 kB │ gzip:   2.25 kB
../backend/static/assets/NoPage-ea4b1efc.js              0.18 kB │ gzip:   0.18 kB │ map:     0.35 kB
../backend/static/assets/OneShot-efb8c1be.js             4.87 kB │ gzip:   2.06 kB │ map:    20.88 kB
../backend/static/assets/fluentui-icons-e67e11a4.js      5.67 kB │ gzip:   2.56 kB │ map: 4,322.77 kB
../backend/static/assets/index-67467094.js              24.98 kB │ gzip:   8.86 kB │ map:    97.05 kB
../backend/static/assets/fluentui-react-63b3d3f8.js    337.68 kB │ gzip:  95.10 kB │ map: 1,480.88 kB
../backend/static/assets/vendor-7810ac01.js          1,687.91 kB │ gzip: 535.89 kB │ map: 5,151.39 kB

(!) Some chunks are larger than 500 kBs after minification. Consider:
- Using dynamic import() to code-split the application
- Use build.rollupOptions.output.manualChunks to improve chunking: https://rollupjs.org/configuration-options/#output-manualchunks
- Adjust chunk size limit for this warning via build.chunkSizeWarningLimit.
✓ built in 12.58s
  (✓) Done: Packaging service backend
  - Package Output: /tmp/azure-search-openai-demo-backend-azddeploy-1704838601.zip
Checking if authentication should be setup...
Loading azd .env file from current environment...
AZURE_USE_AUTHENTICATION is set, proceeding with authentication setup...
Creating Python virtual environment "scripts/.venv"...
Installing dependencies from "requirements.txt" into virtual environment (in quiet mode)...
Setting up authentication...
AzureDeveloperCliCredential.get_token failed: {"type":"consoleMessage","timestamp":"2024-01-09T22:16:45.567059636Z","data":{"message":"fetching token: failed to authenticate: unable to resolve an endpoint: http call(https://login.microsoftonline.com/51397421-87d6-42c1-8bab-98305329d7/v2.0/.well-known/openid-configuration)(GET) error: reply status code was 400:\n{\"error\":\"invalid_tenant\",\"error_description\":\"AADSTS90002: Tenant '51397421-87d6-42c1-8bab-98305329d7' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace ID: 2d54dde4-74b4-4786-94eb-179a44b6c200 Correlation ID: 7612dab3-ea02-4e08-9ace-d6b1a03665e7 Timestamp: 2024-01-09 22:16:45Z\",\"error_codes\":[90002],\"timestamp\":\"2024-01-09 22:16:45Z\",\"trace_id\":\"2d54dde4-74b4-4786-94eb-179a44b6c200\",\"correlation_id\":\"7612dab3-ea02-4e08-9ace-d6b1a03665e7\",\"error_uri\":\"https://login.microsoftonline.com/error?code=90002\"}\n"}}

Traceback (most recent call last):
  File "/workspaces/azure-search-openai-demo/./scripts/auth_init.py", line 206, in <module>
    asyncio.run(main())
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/workspaces/azure-search-openai-demo/./scripts/auth_init.py", line 178, in main
    auth_headers = await get_auth_headers(credential)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/workspaces/azure-search-openai-demo/scripts/auth_common.py", line 11, in get_auth_headers
    token_result = await credential.get_token("https://graph.microsoft.com/.default")
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/workspaces/azure-search-openai-demo/scripts/.venv/lib/python3.11/site-packages/azure/identity/aio/_internal/decorators.py", line 21, in wrapper
    token = await fn(*args, **kwargs)
            ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/workspaces/azure-search-openai-demo/scripts/.venv/lib/python3.11/site-packages/azure/identity/aio/_credentials/azd_cli.py", line 130, in get_token
    output = await _run_command(command, self._process_timeout)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/workspaces/azure-search-openai-demo/scripts/.venv/lib/python3.11/site-packages/azure/identity/aio/_credentials/azd_cli.py", line 195, in _run_command
    raise ClientAuthenticationError(message=message)
azure.core.exceptions.ClientAuthenticationError: {"type":"consoleMessage","timestamp":"2024-01-09T22:16:45.567059636Z","data":{"message":"fetching token: failed to authenticate: unable to resolve an endpoint: http call(https://login.microsoftonline.com/51397421-87d6-42c1-8bab-98305329d7/v2.0/.well-known/openid-configuration)(GET) error: reply status code was 400:\n{\"error\":\"invalid_tenant\",\"error_description\":\"AADSTS90002: Tenant '51397421-87d6-42c1-8bab-98305329d7' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace ID: 2d54dde4-74b4-4786-94eb-179a44b6c200 Correlation ID: 7612dab3-ea02-4e08-9ace-d6b1a03665e7 Timestamp: 2024-01-09 22:16:45Z\",\"error_codes\":[90002],\"timestamp\":\"2024-01-09 22:16:45Z\",\"trace_id\":\"2d54dde4-74b4-4786-94eb-179a44b6c200\",\"correlation_id\":\"7612dab3-ea02-4e08-9ace-d6b1a03665e7\",\"error_uri\":\"https://login.microsoftonline.com/error?code=90002\"}\n"}}


ERROR: failed running pre hooks: 'preprovision' hook failed with exit code: '1', Path: './scripts/auth_init.sh'. : exit code: 1

Repro steps in local mac m1 dev container - not complete yet:

Initial upload of documents and provisioning of resources

1. git reset -- hard upstream/main or git pull upstream main
2. azd auth login
3. azd up

Sets up for easy auth

1. az login
2. az account show -> get userID and TenantID
3. azd env set AZURE_USE_AUTHENTICATION true
4. azd env set AZURE_AUTH_TENANT_ID <TENANT_ID
5. azd up to turn on easy auth

Use website to query search

1. Use website
2. Good prompt for Benefit_Options.pdf is: Which plan should I use if I travel frequently
3. Leave browser window open. Wait a couple of hours.

Docs aren't locked down yet but website requires auth.

Change acls in search index

1. bash ./scripts/manageacl.sh --acl-action enable_acls
2. bash ./scripts/manageacl.sh --document Benefit_Options.pdf --acl-type oids --acl-action add --acl <userid>
3. Check index in Azure portal - search term is "Plan and Benefit Packages" - scroll down to bottom of listing and see OIDs.
4. bash ./scripts/manageacl.sh --document Benefit_Options.pdf --acl-type oids --acl-action view

Use website to query search

1. Use website
2. Check out if token is expired /.auth/me

[mattgotteiner]

Are you using the same tenant for both auth and your app? It might help to explicitly set AZURE_TENANT_ID to the tenant your app is running in.

[dfberry]

I can't reproduce. If I hit it again I'll try to capture more details.