# APIM ❤️ OpenAI

## Access Controlling lab
![flow](../../images/access-controlling.gif)

Playground to try the [OAuth 2.0 authorization feature](https://learn.microsoft.com/azure/api-management/api-management-authenticate-authorize-azure-openai#oauth-20-authorization-using-identity-provider) using identity provider to enable more fine-grained access to OpenAPI APIs by particular users or client.

### TOC
- [0️⃣ Initialize notebook variables](#0)
- [1️⃣ Create the App Registration in Microsoft Entra ID](#1)
- [2️⃣ Create the Azure Resource Group](#2)
- [3️⃣ Create deployment using 🦾 Bicep](#3)
- [4️⃣ Get the deployment outputs](#4)
- [5️⃣ Create a device flow to get the access token](#5)
- [6️⃣ Acquire the token and query the graph API](#6)
- [🧪 Test the API using a direct HTTP call](#requests)
- [🧪 Test the API using the Azure OpenAI Python SDK](#sdk)
- [🗑️ Clean up resources](#clean)

### Prerequisites
- [Python 3.9 or later version](https://www.python.org/) installed
- [Pandas Library](https://pandas.pydata.org/) installed
- [VS Code](https://code.visualstudio.com/) installed with the [Jupyter notebook extension](https://marketplace.visualstudio.com/items?itemName=ms-toolsai.jupyter) enabled
- [Azure CLI](https://learn.microsoft.com/cli/azure/install-azure-cli) installed
- [An Azure Subscription](https://azure.microsoft.com/free/) with Contributor permissions
- [Access granted to Azure OpenAI](https://aka.ms/oai/access) or just enable the mock service
- [Sign in to Azure with Azure CLI](https://learn.microsoft.com/cli/azure/authenticate-azure-cli-interactively)

<a id='0'></a>
### 0️⃣ Initialize notebook variables

- Resources will be suffixed by a unique string based on your subscription id.
- Adjust the location parameters according your preferences and on the [product availability by Azure region.](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?cdn=disable&products=cognitive-services,api-management) 
- Adjust the OpenAI model and version according the [availability by region.](https://learn.microsoft.com/azure/ai-services/openai/concepts/models) 

In [1]:
import os

deployment_name = os.path.basename(os.path.dirname(globals()['__vsc_ipynb_file__']))
resource_group_name = f"lab-{deployment_name}" # change the name to match your naming style
resource_group_location = "westeurope"

openai_resources = [
    {"name": "openai1", "location": "swedencentral"},
    {"name": "openai2", "location": "francecentral"}
]
openai_model_name = "gpt-35-turbo"
openai_model_version = "0613"
openai_deployment_name = "gpt-35-turbo"
openai_api_version = "2024-02-01"

app_registration_name = "ai-gateway-openai-app"


<a id='1'></a>
### 1️⃣ Create the App Registration in Microsoft Entra ID
The following command creates a client application registration

In [None]:
# type: ignore

cmd_stdout = ! az account show --query homeTenantId --output tsv
tenant_id = cmd_stdout.n
print(f"👉🏻 Tenant Id: {tenant_id}")

client_id = ! az ad app list --filter "displayName eq '{app_registration_name}'" --query [0].appId --output tsv

if not client_id:
    client_id = ! az ad app create --display-name {app_registration_name} --query appId --is-fallback-public-client true --output tsv

client_id = client_id[0] if client_id else None

print(f"👉🏻 Client Id: {client_id}")


<a id='2'></a>
### 2️⃣ Create the Azure Resource Group
All resources deployed in this lab will be created in the specified resource group. Skip this step if you want to use an existing resource group.

In [None]:
# %load ../../shared/snippets/create-az-resource-group.py
# type: ignore

import datetime

resource_group_stdout = ! az group create --name {resource_group_name} --location {resource_group_location}

if resource_group_stdout.n.startswith("ERROR"):
    print(resource_group_stdout)
else:
    print(f"✅ Azure Resource Group {resource_group_name} created ⌚ {datetime.datetime.now().time()}")


<a id='3'></a>
### 3️⃣ Create deployment using 🦾 Bicep

This lab uses [Bicep](https://learn.microsoft.com/azure/azure-resource-manager/bicep/overview?tabs=bicep) to declarative define all the resources that will be deployed. Change the parameters or the [main.bicep](main.bicep) directly to try different configurations. 

In [None]:
# %load ../../shared/snippets/create-az-deployment.py
# type: ignore

import json

backend_id = "openai-backend-pool" if len(openai_resources) > 1 else openai_resources[0].get("name")

with open("policy.xml", 'r') as policy_xml_file:
    policy_xml = policy_xml_file.read()

    if "{backend-id}" in policy_xml:
        policy_xml = policy_xml.replace("{backend-id}", backend_id)

    if "{aad-client-application-id}" in policy_xml:
        policy_xml = policy_xml.replace("{aad-client-application-id}", client_id)

    if "{aad-tenant-id}" in policy_xml:
        policy_xml = policy_xml.replace("{aad-tenant-id}", tenant_id)

    policy_xml_file.close()
open("policy-updated.xml", 'w').write(policy_xml)

bicep_parameters = {
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "openAIConfig": { "value": openai_resources },
        "openAIDeploymentName": { "value": openai_deployment_name },
        "openAIModelName": { "value": openai_model_name },
        "openAIModelVersion": { "value": openai_model_version },
        "openAIAPIVersion": { "value": openai_api_version }
    }
}

with open('params.json', 'w') as bicep_parameters_file:
    bicep_parameters_file.write(json.dumps(bicep_parameters))

! az deployment group create --name {deployment_name} --resource-group {resource_group_name} --template-file "main.bicep" --parameters "params.json"


<a id='4'></a>
### 4️⃣ Get the deployment outputs

We are now at the stage where we only need to retrieve the gateway URL and the subscription before we are ready for testing.

In [None]:
# %load ../../shared/snippets/deployment-outputs.py
# type: ignore

# Obtain all of the outputs from the deployment
stdout = ! az deployment group show --name {deployment_name} -g {resource_group_name} --query properties.outputs -o json
outputs = json.loads(stdout.n)

# Extract the individual properties
apim_service_id = outputs.get('apimServiceId', {}).get('value', '')
apim_subscription_key = outputs.get('apimSubscriptionKey', {}).get('value', '')
apim_subscription1_key = outputs.get('apimSubscription1Key', {}).get('value', '')
apim_subscription2_key = outputs.get('apimSubscription2Key', {}).get('value', '')
apim_subscription3_key = outputs.get('apimSubscription3Key', {}).get('value', '')
apim_resource_gateway_url = outputs.get('apimResourceGatewayURL', {}).get('value', '')
workspace_id = outputs.get('logAnalyticsWorkspaceId', {}).get('value', '')
app_id = outputs.get('applicationInsightsAppId', {}).get('value', '')
function_app_resource_name = outputs.get('functionAppResourceName', {}).get('value', '')
cosmosdb_connection_string = outputs.get('cosmosDBConnectionString', {}).get('value', '')

# Print the extracted properties if they are not empty
if apim_service_id:
    print(f"👉🏻 APIM Service Id: {apim_service_id}")

if apim_subscription_key:
    print(f"👉🏻 APIM Subscription Key (masked): ****{apim_subscription_key[-4:]}")

if apim_subscription1_key:
    print(f"👉🏻 APIM Subscription Key 1 (masked): ****{apim_subscription1_key[-4:]}")

if apim_subscription2_key:
    print(f"👉🏻 APIM Subscription Key 2 (masked): ****{apim_subscription2_key[-4:]}")

if apim_subscription3_key:
    print(f"👉🏻 APIM Subscription Key 3 (masked): ****{apim_subscription3_key[-4:]}")

if apim_resource_gateway_url:
    print(f"👉🏻 APIM API Gateway URL: {apim_resource_gateway_url}")

if workspace_id:
    print(f"👉🏻 Workspace ID: {workspace_id}")

if app_id:
    print(f"👉🏻 App ID: {app_id}")

if function_app_resource_name:
    print(f"👉🏻 Function Name: {function_app_resource_name}")

if cosmosdb_connection_string:
    print(f"👉🏻 Cosmos DB Connection String: {cosmosdb_connection_string}")


<a id='5'></a>
### 5️⃣ Create a device flow to get the access token

Notes for fine grained authorization:
- The APIM [JWT validation policy](https://learn.microsoft.com/azure/api-management/validate-azure-ad-token-policy) can check for specific claims (that needs to exist in the token) and apply fine-grained authorization.
- Group claims is a typical method. You can use this approach to drive authorization. However, when the user is a member of too many groups, the `groups` will be excluded from the token due to limitations in token size.
- An alternative is to configure app role definitions and assign users/groups to app roles. This Zero Trust developer best practice improves flexibility and control while increasing application security with least privilege. [Learn more](https://learn.microsoft.com/security/zero-trust/develop/configure-tokens-group-claims-app-roles).
- To obtain the `roles` claim, navigate to the "Expose an API" section of the App Registration. Add the Application ID URI and a scope. Then, copy the full scope (app://<id>/scope) and add it to the scopes array below.
- Navigate to the "App Roles" blade and create an App Role (ex: OpenAI.ChatCompletion) for Users/Groups members. Then assign the testing user or group to the App Role.   
- After logging in, use https://jwt.io/ to decode the `access_token` variable and verify that the `roles` are being sent.
- With the above configuration, you can add the following fragment to the APIM policy to verify that the user belongs to a specific App Role:
```
            <required-claims>
                <claim name="roles" match="any">
                    <value>OpenAI.ChatCompletion</value>
                </claim>
            </required-claims>
```



In [None]:
import json
import msal

app = msal.PublicClientApplication(client_id, authority = "https://login.microsoftonline.com/" + tenant_id)

flow = app.initiate_device_flow(scopes = ["User.Read"])

if "user_code" not in flow:
    raise ValueError(
        "Fail to create device flow. Err: %s" % json.dumps(flow, indent = 4))

print(flow["message"])

<a id='6'></a>
### 6️⃣ Acquire the token and query the graph API

In [None]:
import requests

result = app.acquire_token_by_device_flow(flow)

if "access_token" in result:
    access_token = result['access_token']
    # Calling graph using the access token
    graph_data = requests.get(  # Use token to call downstream service
        "https://graph.microsoft.com/v1.0/me",
        headers={'Authorization': 'Bearer ' + access_token},).json()
    print("Graph API call result: %s" % json.dumps(graph_data, indent = 2))
    # print(access_token) # Use a tool like https://jwt.io/ to decode the access token and see its contents
else:
    print(result.get("error"))
    print(result.get("error_description"))
    print(result.get("correlation_id"))  # You may need this when reporting a bug

<a id='requests'></a>
### 🧪 Test the API using a direct HTTP call
Requests is an elegant and simple HTTP library for Python that will be used here to make raw API requests and inspect the responses.

In [None]:
url = apim_resource_gateway_url + "/openai/deployments/" + openai_deployment_name + "/chat/completions?api-version=" + openai_api_version

messages = { "messages": [
    {"role": "system", "content": "You are a sarcastic unhelpful assistant."},
    {"role": "user", "content": "Can you tell me the time, please?"}
]}

response = requests.post(url, headers = {'api-key': apim_subscription_key, 'Authorization': 'Bearer ' + access_token}, json = messages)
print(f"status code: {response.status_code}")

if (response.status_code == 200):
    data = json.loads(response.text)
    print(f"response: {data.get("choices")[0].get("message").get("content")}")
else:
    print(response.text)


<a id='sdk'></a>
### 🧪 Test the API using the Azure OpenAI Python SDK
OpenAPI provides a widely used [Python library](https://github.com/openai/openai-python). The library includes type definitions for all request params and response fields. The goal of this test is to assert that APIM can seamlessly proxy requests to OpenAI without disrupting its functionality.
- Note: run ```pip install openai``` in a terminal before executing this step.

In [None]:
from openai import AzureOpenAI

messages = [
    {"role": "system", "content": "You are a sarcastic unhelpful assistant."},
    {"role": "user", "content": "Can you tell me the time, please?"}
]

client = AzureOpenAI(
    azure_endpoint = apim_resource_gateway_url,
    api_key = apim_subscription_key,
    api_version = openai_api_version
)

response = client.chat.completions.create(model = openai_model_name, messages = messages, extra_headers = {"Authorization": "Bearer " + access_token})  # type: ignore

print(response.choices[0].message.content)


<a id='clean'></a>
### 🗑️ Clean up resources

When you're finished with the lab, you should remove all your deployed resources from Azure to avoid extra charges and keep your Azure subscription uncluttered.
Use the [clean-up-resources notebook](clean-up-resources.ipynb) for that.