# Using the SSC Assistant API

This will demonstrate how to use the SSC Assistant API using your given API token and a user Access token (oauth2).

In [13]:
import os

import jwt
import msal
import requests
from dotenv import load_dotenv

load_dotenv()

api_endpoint = os.getenv("API_ENDPOINT")
api_scope = os.getenv("API_SCOPE")

app_id = os.getenv("APP_ID")
app_secret = os.getenv("APP_SECRET")
tenant_id = os.getenv("TENANT_ID")

app = msal.ConfidentialClientApplication(
    app_id, authority=f"https://login.microsoftonline.com/{tenant_id}",
    client_credential=app_secret)

# for confidential clients, the `.default` scope is the only scope that will work.
result = app.acquire_token_for_client(scopes=[api_scope])

if result and "access_token" in result:
    access_token = result['access_token']
    decoded_token = jwt.decode(access_token, options={"verify_signature": False})
    if "roles" in decoded_token:
        print("roles", decoded_token["roles"])
    else:
        print("No roles in token, might be missing permissions or grant approval..")
else:
    print("oops, no token", result)

roles ['api.access']


## Security

API Is secured and need two different token in order to access it, first an API token (see below) and a user access token (provided by microsoft idp)

Once we have the access_token we simply make a simple call to the SSC Assistant API to ask a one-of question.

### API Token

To do so we need to ensure we have a valid user (above) and a valid token to send in the `X-API-Key` header as part of the `POST` request.

Such token can be crafted for testing as bellow:

**NOTE:** If you are not part of the dev team and you require a real token please contact the SSC Assistant team.

### Confidential Client Application access token

Normally the api relies on User access token, in this case for having 3rd parties access the API they (the application(s) in question) need to be granted the permission to request that scope.

Example of an `az cli` that does such thing. Note that the `api-permission` here is from the appRoles and not the api scopes as oposed to scopes created for user flow.

```bash
az ad app permission add --id <your-app-id> --api <api-app-id> --api-permission <scope-uuid>=Role
az ad app permission grant --id <your-app-id> --api <api-app-id> --scope api.access.app
```

### Extra documentation for the setup of the application scope

* https://stackoverflow.com/questions/77552241/getting-token-but-not-scope-inside-that-token-using-msal-code
* https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis
* See this [documentation here](../docs/application-config.md#granting-application-the-role)

In [None]:
import jwt
import json

api_token = jwt.encode({'roles': ['suggest',]}, 'secret', algorithm='HS256')

question = {
  "query": "Who is the president of SSC?",
}

response = requests.post(str(api_endpoint) + "/api/1.0/suggest", headers={'Authorization': f'Bearer {access_token}', 'X-API-Key': api_token}, json=question)

if response.status_code == 200:
    print(json.dumps(response.json(), indent=4))
else:
    print("Error: ", response.text)

{
    "completion_tokens": 52,
    "message": {
        "attachments": null,
        "content": "The current President of Shared Services Canada (SSC) is Scott Jones, who was appointed to the position effective September 11, 2023 [doc1].",
        "context": {
            "citations": [
                {
                    "chunk_id": null,
                    "content": "Scott Jones Scott Jones was appointed President of Shared Services Canada (SSC) effective September 11, 2023. Previous to this appointment, he was Executive Vice-President of SSC and, concurrently, Associate Deputy Minister of Public Services and Procurement Canada. Prior to April 2022, Scott was the Federal Lead on Proof of Vaccine Credentials and Associate Deputy Minister of Immigration, Refugees and Citizenship Canada (IRCC). He collaborated with federal partners, provinces and territories to successfully deliver the Canadian COVID-19 proof of vaccination program that is used for travel in Canada and international