# Using the SSC Assistant API

This will demonstrate how to use the SSC Assistant API using your given API token and a user Access token (oauth2).

In [1]:
import os

import jwt
import msal
import requests
from dotenv import load_dotenv

load_dotenv()

api_endpoint = os.getenv("API_ENDPOINT")
api_scope = os.getenv("API_SCOPE")

print(api_scope)

app_id = os.getenv("APP_ID")
app_secret = os.getenv("APP_SECRET")
tenant_id = os.getenv("TENANT_ID")

app = msal.ConfidentialClientApplication(
    app_id, authority=f"https://login.microsoftonline.com/{tenant_id}",
    client_credential=app_secret)

result = app.acquire_token_for_client(scopes=[api_scope])

if result and "access_token" in result:
    access_token = result['access_token']
    decoded_token = jwt.decode(access_token, options={"verify_signature": False})
    print(decoded_token)
else:
    print("oops, no token", result)

api://5026ea6d-9af1-49be-ba99-10d205d41e78/.default
{'aud': 'api://5026ea6d-9af1-49be-ba99-10d205d41e78', 'iss': 'https://sts.windows.net/4e1ed7ae-062e-4ec8-b989-de8cbd452c54/', 'iat': 1737384526, 'nbf': 1737384526, 'exp': 1737388426, 'aio': 'k2RgYHDRm2eWwTfZrmeqXrvEpGQfAA==', 'appid': 'a6a1622c-1c87-4761-84ca-018c25f59cca', 'appidacr': '1', 'idp': 'https://sts.windows.net/4e1ed7ae-062e-4ec8-b989-de8cbd452c54/', 'oid': 'dd02b054-e039-45bb-a090-0427468979a5', 'rh': '1.ATgArtceTi4GyE65id6MvUUsVG3qJlDxmr5JupkQ0gXUHnj0AAA4AA.', 'roles': ['api.access'], 'sub': 'dd02b054-e039-45bb-a090-0427468979a5', 'tid': '4e1ed7ae-062e-4ec8-b989-de8cbd452c54', 'uti': '9ajMN1c9-EiBQI9Clf0VAQ', 'ver': '1.0'}


## Security

API Is secured and need two different token in order to access it, first an API token (see below) and a user access token (provided by microsoft idp)

Once we have the access_token we simply make a simple call to the SSC Assistant API to ask a one-of question.

### API Token

To do so we need to ensure we have a valid user (above) and a valid token to send in the `X-API-Key` header as part of the `POST` request.

Such token can be crafted for testing as bellow:

**NOTE:** If you are not part of the dev team and you require a real token please contact the SSC Assistant team.

### Confidential Client Application access token

Normally the api relies on User access token, in this case for having 3rd parties access the API they (the application(s) in question) need to be granted the permission to request that scope.

Example of an `az cli` that does such thing. Note that the `api-permission` here is from the appRoles and not the api scopes as oposed to scopes created for user flow.

```bash
az ad app permission add --id <your-app-id> --api <api-app-id> --api-permission <scope-uuid>=Role
az ad app permission grant --id <your-app-id> --api <api-app-id> --scope api.access.app
```

### Extra documentation for the setup of the application scope

* https://stackoverflow.com/questions/77552241/getting-token-but-not-scope-inside-that-token-using-msal-code
* https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis
* See this [documentation here](../docs/application-config.md#granting-application-the-role)

In [None]:
import jwt
api_token = jwt.encode({'roles': ['mysscplus',]}, 'secret', algorithm='HS256')

question = {
  "query": "Who is the president of SSC?",
}

response = requests.post(str(api_endpoint) + "/api/1.0/mysscplus/suggest", headers={'Authorization': f'Bearer {access_token}', 'X-API-Key': api_token}, json=question)

if response.status_code == 200:
    print(response.json())
else:
    print("Error: ", response.text)