Support custom Auth Audience for Azure services (#945)

Add custom audience settings for more Azure services: * Azure AI Document Intelligence * Azure AI Search * Azure Blobs * Azure Queues Rename the param used in Azure OpenAI and use the same `AzureIdentityAudience` param name across Azure services. KM extensions for Azure not supporting custom JWT auth claims: * Azure AI Content Safety * Azure Redis * Azure SQL
microsoft · Dec 17, 2024 · cc67af2 · cc67af2
1 parent 3701d1a
commit cc67af2
Show file tree

Hide file tree

Showing 38 changed files with 768 additions and 2,379 deletions.
diff --git a/KernelMemory.sln b/KernelMemory.sln
@@ -82,6 +82,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "root", "root", "{6EF76FD8-4
 		nuget.config = nuget.config
 		README.md = README.md
 		SECURITY.md = SECURITY.md
+		swagger.json = swagger.json
 	EndProjectSection
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = ".github", ".github", "{B8976338-7CDC-47AE-8502-C2FBAFBEBD68}"

diff --git a/README.md b/README.md
@@ -559,10 +559,12 @@ githubcontrib --repo kernel-memory --owner microsoft --showlogin true --sortBy l
 :---: |:---: |:---: |:---: |:---: |:---: |
 [pawarsum12](https://github.com/pawarsum12) |[pradeepr-roboticist](https://github.com/pradeepr-roboticist) |[qihangnet](https://github.com/qihangnet) |[roldengarm](https://github.com/roldengarm) |[setuc](https://github.com/setuc) |[slapointe](https://github.com/slapointe) |
 
-[<img alt="slorello89" src="https://avatars.githubusercontent.com/u/42971704?v=4&s=110" width="110">](https://github.com/slorello89) |[<img alt="snakex64" src="https://avatars.githubusercontent.com/u/39806655?v=4&s=110" width="110">](https://github.com/snakex64) |[<img alt="spenavajr" src="https://avatars.githubusercontent.com/u/96045491?v=4&s=110" width="110">](https://github.com/spenavajr) |[<img alt="TaoChenOSU" src="https://avatars.githubusercontent.com/u/12570346?v=4&s=110" width="110">](https://github.com/TaoChenOSU) |[<img alt="teresaqhoang" src="https://avatars.githubusercontent.com/u/125500434?v=4&s=110" width="110">](https://github.com/teresaqhoang) |[<img alt="tomasz-skarzynski" src="https://avatars.githubusercontent.com/u/119002478?v=4&s=110" width="110">](https://github.com/tomasz-skarzynski) |
+[<img alt="slorello89" src="https://avatars.githubusercontent.com/u/42971704?v=4&s=110" width="110">](https://github.com/slorello89) |[<img alt="snakex64" src="https://avatars.githubusercontent.com/u/39806655?v=4&s=110" width="110">](https://github.com/snakex64) |[<img alt="spenavajr" src="https://avatars.githubusercontent.com/u/96045491?v=4&s=110" width="110">](https://github.com/spenavajr) |[<img alt="TaoChenOSU" src="https://avatars.githubusercontent.com/u/12570346?v=4&s=110" width="110">](https://github.com/TaoChenOSU) |[<img alt="tarekgh" src="https://avatars.githubusercontent.com/u/10833894?v=4&s=110" width="110">](https://github.com/tarekgh) |[<img alt="teresaqhoang" src="https://avatars.githubusercontent.com/u/125500434?v=4&s=110" width="110">](https://github.com/teresaqhoang) |
 :---: |:---: |:---: |:---: |:---: |:---: |
-[slorello89](https://github.com/slorello89) |[snakex64](https://github.com/snakex64) |[spenavajr](https://github.com/spenavajr) |[TaoChenOSU](https://github.com/TaoChenOSU) |[teresaqhoang](https://github.com/teresaqhoang) |[tomasz-skarzynski](https://github.com/tomasz-skarzynski) |
+[slorello89](https://github.com/slorello89) |[snakex64](https://github.com/snakex64) |[spenavajr](https://github.com/spenavajr) |[TaoChenOSU](https://github.com/TaoChenOSU) |[tarekgh](https://github.com/tarekgh) |[teresaqhoang](https://github.com/teresaqhoang) |
 
-[<img alt="v-msamovendyuk" src="https://avatars.githubusercontent.com/u/61688766?v=4&s=110" width="110">](https://github.com/v-msamovendyuk) |[<img alt="Valkozaur" src="https://avatars.githubusercontent.com/u/58659526?v=4&s=110" width="110">](https://github.com/Valkozaur) |[<img alt="vicperdana" src="https://avatars.githubusercontent.com/u/7114832?v=4&s=110" width="110">](https://github.com/vicperdana) |[<img alt="walexee" src="https://avatars.githubusercontent.com/u/12895846?v=4&s=110" width="110">](https://github.com/walexee) |[<img alt="westdavidr" src="https://avatars.githubusercontent.com/u/669668?v=4&s=110" width="110">](https://github.com/westdavidr) |[<img alt="xbotter" src="https://avatars.githubusercontent.com/u/3634877?v=4&s=110" width="110">](https://github.com/xbotter) |
+[<img alt="tomasz-skarzynski" src="https://avatars.githubusercontent.com/u/119002478?v=4&s=110" width="110">](https://github.com/tomasz-skarzynski) |[<img alt="v-msamovendyuk" src="https://avatars.githubusercontent.com/u/61688766?v=4&s=110" width="110">](https://github.com/v-msamovendyuk) |[<img alt="Valkozaur" src="https://avatars.githubusercontent.com/u/58659526?v=4&s=110" width="110">](https://github.com/Valkozaur) |[<img alt="vicperdana" src="https://avatars.githubusercontent.com/u/7114832?v=4&s=110" width="110">](https://github.com/vicperdana) |[<img alt="walexee" src="https://avatars.githubusercontent.com/u/12895846?v=4&s=110" width="110">](https://github.com/walexee) |[<img alt="westdavidr" src="https://avatars.githubusercontent.com/u/669668?v=4&s=110" width="110">](https://github.com/westdavidr) |
 :---: |:---: |:---: |:---: |:---: |:---: |
-[v-msamovendyuk](https://github.com/v-msamovendyuk) |[Valkozaur](https://github.com/Valkozaur) |[vicperdana](https://github.com/vicperdana) |[walexee](https://github.com/walexee) |[westdavidr](https://github.com/westdavidr) |[xbotter](https://github.com/xbotter) |
+[tomasz-skarzynski](https://github.com/tomasz-skarzynski) |[v-msamovendyuk](https://github.com/v-msamovendyuk) |[Valkozaur](https://github.com/Valkozaur) |[vicperdana](https://github.com/vicperdana) |[walexee](https://github.com/walexee) |[westdavidr](https://github.com/westdavidr) |
+
+[<img alt="xbotter" src="https://avatars.githubusercontent.com/u/3634877?v=4&s=110" width="110">](https://github.com/xbotter) |
diff --git a/applications/tests/Evaluation.Tests/appsettings.json b/applications/tests/Evaluation.Tests/appsettings.json
@@ -19,9 +19,9 @@
         // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
-        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
         // in which case use this to change the client audience.
-        "AzureOpenAIAudience": null,
+        "AzureIdentityAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",
@@ -44,9 +44,9 @@
         // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
-        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
         // in which case use this to change the client audience.
-        "AzureOpenAIAudience": null,
+        "AzureIdentityAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",
@@ -65,6 +65,10 @@
         //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
+        // When the service is on sovereign clouds, this setting might be necessary to configure Entra auth tokens.
+        // See https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/src/DocumentAnalysisAudience.cs
+        "AzureIdentityAudience": null,
         // Required when Auth == APIKey
         "APIKey": "",
         "Endpoint": ""
@@ -76,8 +80,13 @@
         //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
-        "Endpoint": "https://<...>",
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
+        // When the service is on sovereign clouds, this setting might be necessary to configure Entra auth tokens.
+        // See https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/search/Azure.Search.Documents/src/SearchAudience.cs
+        "AzureIdentityAudience": null,
+        // Required when Auth == APIKey
         "APIKey": "",
+        "Endpoint": "https://<...>",
         // Hybrid search is not enabled by default. Note that when using hybrid search
         // relevance scores are different, usually lower, than when using just vector search
         "UseHybridSearch": false,

diff --git a/examples/001-dotnet-WebClient/file9-settings.json b/examples/001-dotnet-WebClient/file9-settings.json
@@ -19,9 +19,9 @@
         // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
-        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
         // in which case use this to change the client audience.
-        "AzureOpenAIAudience": null,
+        "AzureIdentityAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",
@@ -34,9 +34,9 @@
         // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
-        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
         // in which case use this to change the client audience.
-        "AzureOpenAIAudience": null,
+        "AzureIdentityAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",
@@ -95,6 +95,10 @@
         //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
+        // When the service is on sovereign clouds, this setting might be necessary to configure Entra auth tokens.
+        // See https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/src/DocumentAnalysisAudience.cs
+        "AzureIdentityAudience": null,
         // Required when Auth == APIKey
         "APIKey": "",
         "Endpoint": ""
@@ -106,8 +110,27 @@
         //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
+        // When the service is on sovereign clouds, this setting might be necessary to configure Entra auth tokens.
+        // See https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/search/Azure.Search.Documents/src/SearchAudience.cs
+        "AzureIdentityAudience": null,
+        // Required when Auth == APIKey
+        "APIKey": "",
         "Endpoint": "https://<...>",
-        "APIKey": ""
+        // Hybrid search is not enabled by default. Note that when using hybrid search
+        // relevance scores are different, usually lower, than when using just vector search
+        "UseHybridSearch": false,
+        // Helps improve relevance score consistency for search services with multiple replicas by
+        // attempting to route a given request to the same replica for that session. Use this when
+        // favoring consistent scoring over lower latency. Can adversely affect performance.
+        //
+        // Whether to use sticky sessions, which can help getting more consistent results.
+        // When using sticky sessions, a best-effort attempt will be made to target the same replica set.
+        // Be wary that reusing the same replica repeatedly can interfere with the load balancing of
+        // the requests across replicas and adversely affect the performance of the search service.
+        //
+        // See https://learn.microsoft.com/rest/api/searchservice/documents/search-post?view=rest-searchservice-2024-07-01&tabs=HTTP#request-body
+        "UseStickySessions": false
       }
     },
     "Retrieval": {

diff --git a/examples/002-dotnet-Serverless/appsettings.json b/examples/002-dotnet-Serverless/appsettings.json
@@ -20,6 +20,10 @@
         //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
+        // When the service is on sovereign clouds, this setting might be necessary to configure Entra auth tokens.
+        // See https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/src/DocumentAnalysisAudience.cs
+        "AzureIdentityAudience": null,
         // Required when Auth == APIKey
         "APIKey": "",
         "Endpoint": ""
@@ -31,8 +35,13 @@
         //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
-        "Endpoint": "https://<...>",
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
+        // When the service is on sovereign clouds, this setting might be necessary to configure Entra auth tokens.
+        // See https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/search/Azure.Search.Documents/src/SearchAudience.cs
+        "AzureIdentityAudience": null,
+        // Required when Auth == APIKey
         "APIKey": "",
+        "Endpoint": "https://<...>",
         // Hybrid search is not enabled by default. Note that when using hybrid search
         // relevance scores are different, usually lower, than when using just vector search
         "UseHybridSearch": false,
@@ -55,6 +64,9 @@
         //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
+        // When the service is on sovereign clouds, this setting might be necessary to configure Entra auth tokens.
+        "AzureIdentityAudience": null,
         // Azure Storage account name, required when using AzureIdentity auth
         // Note: you can use an env var 'KernelMemory__Services__AzureBlobs__Account' to set this
         "Account": "",
@@ -71,9 +83,9 @@
         // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
-        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
         // in which case use this to change the client audience.
-        "AzureOpenAIAudience": null,
+        "AzureIdentityAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         // Your Azure Deployment name
@@ -106,9 +118,9 @@
         // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
-        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
         // in which case use this to change the client audience.
-        "AzureOpenAIAudience": null,
+        "AzureIdentityAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",

diff --git a/examples/002-dotnet-Serverless/file9-settings.json b/examples/002-dotnet-Serverless/file9-settings.json
@@ -19,9 +19,9 @@
         // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
-        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
         // in which case use this to change the client audience.
-        "AzureOpenAIAudience": null,
+        "AzureIdentityAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",
@@ -34,9 +34,9 @@
         // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
-        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
         // in which case use this to change the client audience.
-        "AzureOpenAIAudience": null,
+        "AzureIdentityAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",
@@ -95,6 +95,10 @@
         //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
+        // When the service is on sovereign clouds, this setting might be necessary to configure Entra auth tokens.
+        // See https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/src/DocumentAnalysisAudience.cs
+        "AzureIdentityAudience": null,
         // Required when Auth == APIKey
         "APIKey": "",
         "Endpoint": ""
@@ -106,8 +110,27 @@
         //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
         //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // Optional when Auth == AzureIdentity. Leave it null to use the default.
+        // When the service is on sovereign clouds, this setting might be necessary to configure Entra auth tokens.
+        // See https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/search/Azure.Search.Documents/src/SearchAudience.cs
+        "AzureIdentityAudience": null,
+        // Required when Auth == APIKey
+        "APIKey": "",
         "Endpoint": "https://<...>",
-        "APIKey": ""
+        // Hybrid search is not enabled by default. Note that when using hybrid search
+        // relevance scores are different, usually lower, than when using just vector search
+        "UseHybridSearch": false,
+        // Helps improve relevance score consistency for search services with multiple replicas by
+        // attempting to route a given request to the same replica for that session. Use this when
+        // favoring consistent scoring over lower latency. Can adversely affect performance.
+        //
+        // Whether to use sticky sessions, which can help getting more consistent results.
+        // When using sticky sessions, a best-effort attempt will be made to target the same replica set.
+        // Be wary that reusing the same replica repeatedly can interfere with the load balancing of
+        // the requests across replicas and adversely affect the performance of the search service.
+        //
+        // See https://learn.microsoft.com/rest/api/searchservice/documents/search-post?view=rest-searchservice-2024-07-01&tabs=HTTP#request-body
+        "UseStickySessions": false
       }
     },
     "Retrieval": {