Add support for interactive Entra ID authentication to chat_azure()
#273
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds support for another major Azure authentication
approach: the OAuth authorization code flow, as used by the Azure CLI.
This is a good choice for authentiation during development on desktop,
and Microsoft recommends it for Azure OpenAI because it doesn't require
storing sensitive long-lived secrets like API keys.
All of this is pretty stock httr2 OAuth stuff, despite the fact that
Entra ID has its own... idiosyncrasies. I also went out of the way to
add a really specific error message for what I believe to be a common
source of problems: misconfiguration of Azure's RBAC. It looks as
follows:
Error in `req_perform_connection()` at elmer/R/httr2.R:36:3:
! HTTP 401 Unauthorized.
• PermissionDenied: Principal does not have access to API/Operation.
ℹ Your user or service principal likely needs one of the following
roles: Cognitive Services OpenAI User, Cognitive Services OpenAI
Contributor, or Cognitive Services Contributor.
I haven't added any unit tests (I don't know how to do so for this kind
of interactive OAuth flow), but at least the help documentation has been
updated.
Signed-off-by: Aaron Jacobs <aaron.jacobs@posit.co>
hadley
approved these changes
Jan 25, 2025
| # Try to be helpful in the (common) case that the user or service | ||
| # principal is missing the necessary role. | ||
| # See: https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/role-based-access-control | ||
| if (error$message == "Principal does not have access to API/Operation.") { |
There was a problem hiding this comment.
Maybe use identical() here? Otherwise if message is every anything other than a string, you'll get a weird error.
| roles: {.emph Cognitive Services OpenAI User}, | ||
| {.emph Cognitive Services OpenAI Contributor}, or | ||
| {.emph Cognitive Services Contributor}.", | ||
| keep_whitespace = FALSE |
There was a problem hiding this comment.
Do you need that? I think it will get re-wrapped anyway?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit adds support for another major Azure authentication approach: the OAuth authorization code flow, as used by the Azure CLI.
This is a good choice for authentiation during development on desktop, and Microsoft recommends it for Azure OpenAI because it doesn't require storing sensitive long-lived secrets like API keys.
All of this is pretty stock httr2 OAuth stuff, despite the fact that Entra ID has its own... idiosyncrasies. I also went out of the way to add a really specific error message for what I believe to be a common source of problems: misconfiguration of Azure's RBAC. It looks as follows:
I haven't added any unit tests (I don't know how to do so for this kind of interactive OAuth flow), but at least the help documentation has been updated.