Utilize QnABot idtoken and optionally pass to Kendra based authentication #513
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The purpose of this change is to allow QnABot to be configured to pass an OpenID JWT to Kendra Index(es). It is controlled by the new configuration setting "ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH" which defaults to "false". If "ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH" is set to "true" and "_userInfo.isVerfiedIdentity" is "true", then QnABot will pass the idtoken with the each Kendra Index query configured for fallback (i.e. ALT_SEARCH_KENDRA_INDEXES).
The primary changes have been made to the es-proxy-layer within the kendra.js file.
Supporting changes have been made to add a new Setting ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH with documentation.
The Settings that are in play:
Some notes about the 8 Use Cases:
The following 8 Use Cases have been explored:
CASE 1: Kendra Index has Auth Enabled. isVerifiedIdentity === "false". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === false.
CASE 2: Kendra Index has Auth Enabled. isVerifiedIdentity === "false". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === true.
CASE 3: Kendra Index has Auth Disabled. isVerifiedIdentity === "false". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === false.
CASE 4: Kendra Index has Auth Disabled. isVerifiedIdentity === "false". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === true.
CASE 5: Kendra Index has Auth Enabled. isVerifiedIdentity === true. ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === false.
* CASE 6: [EXPECTED PATH] Kendra Index has Auth Enabled. isVerifiedIdentity === "true". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === true.
CASE 7: Kendra Index has Auth Disabled. isVerifiedIdentity === true. ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === false.
CASE 8: Kendra Index has Auth Disabled. isVerifiedIdentity === "true". ALT_SEARCH_KENDRA_INDEXES_TOKEN_AUTH === true.