Fetch AAD authentication info from backend (microsoft#427)

### Motivation and Context

<!-- Thank you for your contribution to the chat-copilot repo!
Please help reviewers and future users, providing the following
information:
  1. Why is this change required?
  2. What problem does it solve?
  3. What scenario does it contribute to?
  4. If it fixes an open issue, please link to the issue here.
-->
this PR prepares the frontend for microsoft#377 and removes the need for any AAD
configuration environment variables.

### Description
- removes `REACT_APP_AUTH_TYPE` and all variables starting with
`REACT_APP_AAD_`
- calls the `/authConfig` endpoint when the app first loads and if
needed, renders the `MsalProvider` using the fetched config.
- updates workflows and deployment scripts accordingly

<!-- Describe your changes, the overall approach, the underlying design.
These notes will help understanding how your code works. Thanks! -->

### Contribution Checklist

<!-- Before submitting this PR, please make sure: -->

- [X] The code builds clean without any errors or warnings
- [X] The PR follows the [Contribution
Guidelines](https://github.com/microsoft/chat-copilot/blob/main/CONTRIBUTING.md)
and the [pre-submission formatting
script](https://github.com/microsoft/chat-copilot/blob/main/CONTRIBUTING.md#development-scripts)
raises no violations
- [X] All unit tests pass, and I have added new tests where possible
- [X] I didn't break anyone 😄

Author: dehoward

.github/workflows/copilot-build-images.yml

@@ -6,15 +6,6 @@ on:
       REACT_APP_BACKEND_URI:
         required: true
         type: string
-      REACT_APP_AAD_AUTHORITY:
-        required: true
-        type: string
-      REACT_APP_AAD_CLIENT_ID:
-        required: true
-        type: string
-      REACT_APP_AAD_API_SCOPE:
-        required: false
-        type: string
 env:
   REGISTRY: ghcr.io
 
@@ -38,9 +29,6 @@ jobs:
             image: ${{ github.repository }}-webapp-nginx
             build-args: |
               REACT_APP_BACKEND_URI=${{ inputs.REACT_APP_BACKEND_URI }}
-              REACT_APP_AAD_AUTHORITY=${{ inputs.REACT_APP_AAD_AUTHORITY }}
-              REACT_APP_AAD_CLIENT_ID=${{ inputs.REACT_APP_AAD_CLIENT_ID }}
-              REACT_APP_AAD_API_SCOPE=${{ inputs.REACT_APP_AAD_API_SCOPE }}
     permissions:
       contents: read
       packages: write

.github/workflows/copilot-test-e2e.yml

@@ -71,11 +71,6 @@ jobs:
         env:
           REACT_APP_BACKEND_URI: https://localhost:40443/
 
-          REACT_APP_AUTH_TYPE: AzureAd
-          REACT_APP_AAD_AUTHORITY: https://login.microsoftonline.com/${{ secrets.COPILOT_CHAT_TEST_TENANT_ID }}
-          REACT_APP_AAD_CLIENT_ID: ${{ secrets.COPILOT_CHAT_TEST_APP_AAD_WEBAPP_CLIENT_ID }}
-          REACT_APP_AAD_API_SCOPE: api://${{ secrets.COPILOT_CHAT_TEST_APP_AAD_WEBAPI_CLIENT_ID }}/access_as_user
-
           REACT_APP_TEST_USER_ACCOUNT1: ${{ secrets.COPILOT_CHAT_TEST_USER_ACCOUNT1 }}
           REACT_APP_TEST_USER_ACCOUNT1_INITIALS: ${{ secrets.COPILOT_CHAT_TEST_USER_ACCOUNT1_INITIALS }}
           REACT_APP_TEST_USER_ACCOUNT2: ${{ secrets.COPILOT_CHAT_TEST_USER_ACCOUNT2 }}

docker/webapp/Dockerfile.nginx

@@ -1,21 +1,12 @@
 # source webapp/.env
-# docker build --build-arg REACT_APP_BACKEND_URI=$REACT_APP_BACKEND_URI --build-arg REACT_APP_AAD_AUTHORITY=$REACT_APP_AAD_AUTHORITY --build-arg REACT_APP_AAD_CLIENT_ID=$REACT_APP_AAD_CLIENT_ID --build-arg  REACT_APP_AAD_API_SCOPE=$REACT_APP_AAD_API_SCOPE -f docker/webapp/Dockerfile.nginx -t chat-copilot-webapp-nginx .
+# docker build --build-arg REACT_APP_BACKEND_URI=$REACT_APP_BACKEND_URI -f docker/webapp/Dockerfile.nginx -t chat-copilot-webapp-nginx .
 
 # builder
 FROM node:lts-alpine as builder
 
 ARG REACT_APP_BACKEND_URI
 ENV REACT_APP_BACKEND_URI $REACT_APP_BACKEND_URI
 
-ARG REACT_APP_AAD_AUTHORITY
-ENV REACT_APP_AAD_AUTHORITY $REACT_APP_AAD_AUTHORITY
-
-ARG REACT_APP_AAD_CLIENT_ID
-ENV REACT_APP_AAD_CLIENT_ID $REACT_APP_AAD_CLIENT_ID
-
-ARG REACT_APP_AAD_API_SCOPE
-ENV REACT_APP_AAD_API_SCOPE $REACT_APP_AAD_API_SCOPE
-
 WORKDIR /app
 COPY webapp/ .
 RUN yarn install \

scripts/Configure.ps1

@@ -217,14 +217,6 @@ $webappEnvFilePath = Join-Path "$webappProjectPath" '/.env'
 Write-Host "Setting up '.env'..."
 Set-Content -Path $webappEnvFilePath -Value "REACT_APP_BACKEND_URI=https://localhost:40443/"
 
-if ($authType -eq $varAzureAd) {
-    Write-Host "Configuring Azure AD authentication..."
-    Add-Content -Path $webappEnvFilePath -Value "REACT_APP_AUTH_TYPE=AzureAd"
-    Add-Content -Path $webappEnvFilePath -Value "REACT_APP_AAD_AUTHORITY=$($Instance.Trim("/"))/$TenantId"
-    Add-Content -Path $webappEnvFilePath -Value "REACT_APP_AAD_CLIENT_ID=$FrontendClientId"
-    Add-Content -Path $webappEnvFilePath -Value "REACT_APP_AAD_API_SCOPE=api://$BackendClientId/access_as_user"
-}
-
 Write-Host "($webappEnvFilePath)"
 Write-Host "========"
 Get-Content $webappEnvFilePath | Write-Host

scripts/configure.sh

@@ -206,6 +206,9 @@ APPSETTINGS_OVERRIDES="{
       \"EmbeddingGeneratorType\": \"${AI_SERVICE}\"
     },
     \"Services\": ${AISERVICE_OVERRIDES}
+  },
+  \"Frontend\": {
+    \"AadClientId\": \"${FRONTEND_CLIENT_ID}\"
   }
 }"
 APPSETTINGS_OVERRIDES_FILEPATH="${WEBAPI_PROJECT_PATH}/appsettings.${ENV_ASPNETCORE}.json"
@@ -229,16 +232,6 @@ WEBAPP_ENV_FILEPATH="${WEBAPP_PROJECT_PATH}/.env"
 echo "Setting up '.env' for webapp..."
 echo "REACT_APP_BACKEND_URI=https://localhost:40443/" >$WEBAPP_ENV_FILEPATH
 
-if [ "$AUTH_TYPE" = "$ENV_AZURE_AD" ]; then
-  echo "Configuring Azure AD authentication..."
-  echo "REACT_APP_AUTH_TYPE=AzureAd" >>$WEBAPP_ENV_FILEPATH
-  # Trim any trailing slash from instance before generating authority
-  INSTANCE=${INSTANCE%/}
-  echo "REACT_APP_AAD_AUTHORITY=$INSTANCE/$TENANT_ID" >>$WEBAPP_ENV_FILEPATH
-  echo "REACT_APP_AAD_CLIENT_ID=$FRONTEND_CLIENT_ID" >>$WEBAPP_ENV_FILEPATH
-  echo "REACT_APP_AAD_API_SCOPE=api://$BACKEND_CLIENT_ID/access_as_user" >>$WEBAPP_ENV_FILEPATH
-fi
-
 echo "($WEBAPP_ENV_FILEPATH)"
 echo "========"
 cat $WEBAPP_ENV_FILEPATH

scripts/deploy/README.md

@@ -11,7 +11,7 @@ This document details how to deploy Chat Copilot's required resources to your Az
 
 - `F1` and `D1` SKUs for the App Service Plans are not currently supported for this deployment in order to support private networking.
 
-- Chat Copilot deployments use Azure Active Directory for authentication. All endpoints (except `/healthz`) require authentication to access.
+- Chat Copilot deployments use Azure Active Directory for authentication. All endpoints (except `/healthz` and `/authInfo`) require authentication to access.
 
 # Configure your environment
 

scripts/deploy/deploy-webapp.ps1

@@ -65,22 +65,12 @@ foreach ($pluginName in $pluginNames) {
     Write-Host "pluginName: $pluginName"
 }
 
-$webapiSettings = $(az webapp config appsettings list --name $webapiName --resource-group $ResourceGroupName | ConvertFrom-JSON)
-$webapiClientId = ($webapiSettings | Where-Object -Property name -EQ -Value Authentication:AzureAd:ClientId).value
-$webapiTenantId = ($webapiSettings | Where-Object -Property name -EQ -Value Authentication:AzureAd:TenantId).value
-$webapiInstance = ($webapiSettings | Where-Object -Property name -EQ -Value Authentication:AzureAd:Instance).value
-$webapiScope = ($webapiSettings | Where-Object -Property name -EQ -Value Authentication:AzureAd:Scopes).value
-
 # Set ASCII as default encoding for Out-File
 $PSDefaultParameterValues['Out-File:Encoding'] = 'ascii'
 
 $envFilePath = "$PSScriptRoot/../../webapp/.env"
 Write-Host "Writing environment variables to '$envFilePath'..."
 "REACT_APP_BACKEND_URI=https://$webapiUrl/" | Out-File -FilePath $envFilePath
-"REACT_APP_AUTH_TYPE=AzureAd" | Out-File -FilePath $envFilePath -Append
-"REACT_APP_AAD_AUTHORITY=$($webapiInstance.Trim("/"))/$webapiTenantId" | Out-File -FilePath $envFilePath -Append
-"REACT_APP_AAD_CLIENT_ID=$FrontendClientId" | Out-File -FilePath $envFilePath -Append
-"REACT_APP_AAD_API_SCOPE=api://$webapiClientId/$webapiScope" | Out-File -FilePath $envFilePath -Append
 "REACT_APP_SK_VERSION=$Version" | Out-File -FilePath $envFilePath -Append
 "REACT_APP_SK_BUILD_INFO=$VersionInfo" | Out-File -FilePath $envFilePath -Append
 

scripts/deploy/deploy-webapp.sh

@@ -102,23 +102,11 @@ echo "WEB_API_NAME: $WEB_API_NAME"
 eval PLUGIN_NAMES=$(echo $DEPLOYMENT_JSON | jq -r '.properties.outputs.pluginNames.value[]')
 echo "PLUGIN_NAMES: $PLUGIN_NAMES"
 
-WEB_API_SETTINGS=$(az webapp config appsettings list --name $WEB_API_NAME --resource-group $RESOURCE_GROUP --output json)
-eval WEB_API_CLIENT_ID=$(echo $WEB_API_SETTINGS | jq '.[] | select(.name=="Authentication:AzureAd:ClientId").value')
-eval WEB_API_TENANT_ID=$(echo $WEB_API_SETTINGS | jq '.[] | select(.name=="Authentication:AzureAd:TenantId").value')
-eval WEB_API_INSTANCE=$(echo $WEB_API_SETTINGS | jq '.[] | select(.name=="Authentication:AzureAd:Instance").value')
-eval WEB_API_SCOPE=$(echo $WEB_API_SETTINGS | jq '.[] | select(.name=="Authentication:AzureAd:Scopes").value')
-
 ENV_FILE_PATH="$SCRIPT_ROOT/../../webapp/.env"
 echo "Writing environment variables to '$ENV_FILE_PATH'..."
-echo "REACT_APP_BACKEND_URI=https://$WEB_API_URL/" >$ENV_FILE_PATH
-echo "REACT_APP_AUTH_TYPE=AzureAd" >>$ENV_FILE_PATH
-# Trim any trailing slash from instance before generating authority
-WEB_API_INSTANCE=${WEB_API_INSTANCE%/}
-echo "REACT_APP_AAD_AUTHORITY=$WEB_API_INSTANCE/$WEB_API_TENANT_ID" >>$ENV_FILE_PATH
-echo "REACT_APP_AAD_CLIENT_ID=$FRONTEND_CLIENT_ID" >>$ENV_FILE_PATH
-echo "REACT_APP_AAD_API_SCOPE=api://$WEB_API_CLIENT_ID/$WEB_API_SCOPE" >>$ENV_FILE_PATH
-echo "REACT_APP_SK_VERSION=$VERSION" >>$ENV_FILE_PATH
-echo "REACT_APP_SK_BUILD_INFO=$VERSION_INFO" >>$ENV_FILE_PATH
+echo "REACT_APP_BACKEND_URI=https://$WEB_API_URL/" > $ENV_FILE_PATH
+echo "REACT_APP_SK_VERSION=$VERSION" >> $ENV_FILE_PATH
+echo "REACT_APP_SK_BUILD_INFO=$VERSION_INFO" >> $ENV_FILE_PATH
 
 echo "Writing swa-cli.config.json..."
 SWA_CONFIG_FILE_PATH="$SCRIPT_ROOT/../../webapp/swa-cli.config.json"

webapi/Controllers/MaintenanceController.cs

@@ -2,7 +2,6 @@
 
 using System.Threading;
 using System.Threading.Tasks;
-using CopilotChat.WebApi.Auth;
 using CopilotChat.WebApi.Models.Response;
 using CopilotChat.WebApi.Options;
 using CopilotChat.WebApi.Services.MemoryMigration;
@@ -23,19 +22,16 @@ public class MaintenanceController : ControllerBase
 
     private readonly ILogger<MaintenanceController> _logger;
     private readonly IOptions<ServiceOptions> _serviceOptions;
-    private readonly IAuthInfo _authInfo;
 
     /// <summary>
     /// Initializes a new instance of the <see cref="MaintenanceController"/> class.
     /// </summary>
     public MaintenanceController(
         ILogger<MaintenanceController> logger,
-        IOptions<ServiceOptions> serviceOptions,
-        IAuthInfo authInfo)
+        IOptions<ServiceOptions> serviceOptions)
     {
         this._logger = logger;
         this._serviceOptions = serviceOptions;
-        this._authInfo = authInfo;
     }
 
     /// <summary>

webapp/.env.example

@@ -1,15 +1,6 @@
 # Required Variables
-# If you add any new required variables, make sure you update the variables list in the checkEnv.ts file as well.
 REACT_APP_BACKEND_URI=https://localhost:40443/
 
-# To enable authorization using Azure Active Directory, uncomment the following variables
-# See paragraph "(Optional) Enable backend authorization via Azure AD" in README.md for details and setup
-# REACT_APP_AUTH_TYPE=AzureAd
-# REACT_APP_AAD_AUTHORITY=https://login.microsoftonline.com/{YOUR_TENANT_ID}
-# REACT_APP_AAD_CLIENT_ID=
-# Authorization scopes to access webapi when using Azure AD authorization.
-# REACT_APP_AAD_API_SCOPE=
-
 # To enable HTTPS, uncomment the following variables
 # HTTPS="true"
 # Replace with your locally-trusted cert file

webapp/src/App.tsx

@@ -4,7 +4,7 @@ import { AuthenticatedTemplate, UnauthenticatedTemplate, useIsAuthenticated, use
 import { FluentProvider, Subtitle1, makeStyles, shorthands, tokens } from '@fluentui/react-components';
 
 import * as React from 'react';
-import { FC, useEffect } from 'react';
+import { useEffect } from 'react';
 import { UserSettingsMenu } from './components/header/UserSettingsMenu';
 import { PluginGallery } from './components/open-api-plugins/PluginGallery';
 import { BackendProbe, ChatView, Error, Loading, Login } from './components/views';
@@ -50,20 +50,21 @@ export const useClasses = makeStyles({
 enum AppState {
     ProbeForBackend,
     SettingUserInfo,
+    ErrorLoadingChats,
     ErrorLoadingUserInfo,
     LoadingChats,
     Chat,
     SigningOut,
 }
 
-const App: FC = () => {
+const App = () => {
     const classes = useClasses();
 
     const [appState, setAppState] = React.useState(AppState.ProbeForBackend);
     const dispatch = useAppDispatch();
 
     const { instance, inProgress } = useMsal();
-    const { activeUserInfo, features, isMaintenance } = useAppSelector((state: RootState) => state.app);
+    const { features, isMaintenance } = useAppSelector((state: RootState) => state.app);
     const isAuthenticated = useIsAuthenticated();
 
     const chat = useChat();
@@ -75,48 +76,45 @@ const App: FC = () => {
             return;
         }
 
-        if (isAuthenticated) {
-            if (appState === AppState.SettingUserInfo) {
-                if (activeUserInfo === undefined) {
-                    const account = instance.getActiveAccount();
-                    if (!account) {
-                        setAppState(AppState.ErrorLoadingUserInfo);
-                    } else {
-                        dispatch(
-                            setActiveUserInfo({
-                                id: `${account.localAccountId}.${account.tenantId}`,
-                                email: account.username, // Username in an AccountInfo object is the email address
-                                username: account.name ?? account.username,
-                            }),
-                        );
-
-                        // Privacy disclaimer for internal Microsoft users
-                        if (account.username.split('@')[1] === 'microsoft.com') {
-                            dispatch(
-                                addAlert({
-                                    message:
-                                        'By using Chat Copilot, you agree to protect sensitive data, not store it in chat, and allow chat history collection for service improvements. This tool is for internal use only.',
-                                    type: AlertType.Info,
-                                }),
-                            );
-                        }
-
-                        setAppState(AppState.LoadingChats);
-                    }
-                } else {
-                    setAppState(AppState.LoadingChats);
+        if (isAuthenticated && appState === AppState.SettingUserInfo) {
+            const account = instance.getActiveAccount();
+            if (!account) {
+                setAppState(AppState.ErrorLoadingUserInfo);
+            } else {
+                dispatch(
+                    setActiveUserInfo({
+                        id: `${account.localAccountId}.${account.tenantId}`,
+                        email: account.username, // username is the email address
+                        username: account.name ?? account.username,
+                    }),
+                );
+
+                // Privacy disclaimer for internal Microsoft users
+                if (account.username.split('@')[1] === 'microsoft.com') {
+                    dispatch(
+                        addAlert({
+                            message:
+                                'By using Chat Copilot, you agree to protect sensitive data, not store it in chat, and allow chat history collection for service improvements. This tool is for internal use only.',
+                            type: AlertType.Info,
+                        }),
+                    );
                 }
+
+                setAppState(AppState.LoadingChats);
             }
         }
 
         if ((isAuthenticated || !AuthHelper.isAuthAAD()) && appState === AppState.LoadingChats) {
             void Promise.all([
                 // Load all chats from memory
-                chat.loadChats().then((succeeded) => {
-                    if (succeeded) {
+                chat
+                    .loadChats()
+                    .then(() => {
                         setAppState(AppState.Chat);
-                    }
-                }),
+                    })
+                    .catch(() => {
+                        setAppState(AppState.ErrorLoadingChats);
+                    }),
 
                 // Check if content safety is enabled
                 file.getContentSafetyStatus(),
@@ -133,7 +131,7 @@ const App: FC = () => {
         // eslint-disable-next-line react-hooks/exhaustive-deps
     }, [instance, inProgress, isAuthenticated, appState, isMaintenance]);
 
-    // TODO: [Issue #41] handle error case of missing account information
+    const content = <Chat classes={classes} appState={appState} setAppState={setAppState} />;
     return (
         <FluentProvider
             className="app-container"
@@ -150,12 +148,10 @@ const App: FC = () => {
                             {appState !== AppState.SigningOut && <Login />}
                         </div>
                     </UnauthenticatedTemplate>
-                    <AuthenticatedTemplate>
-                        <Chat classes={classes} appState={appState} setAppState={setAppState} />
-                    </AuthenticatedTemplate>
+                    <AuthenticatedTemplate>{content}</AuthenticatedTemplate>
                 </>
             ) : (
-                <Chat classes={classes} appState={appState} setAppState={setAppState} />
+                content
             )}
         </FluentProvider>
     );
@@ -189,23 +185,27 @@ const Chat = ({
             </div>
             {appState === AppState.ProbeForBackend && (
                 <BackendProbe
-                    uri={process.env.REACT_APP_BACKEND_URI as string}
                     onBackendFound={() => {
-                        if (AuthHelper.isAuthAAD()) {
-                            setAppState(AppState.SettingUserInfo);
-                        } else {
-                            setAppState(AppState.LoadingChats);
-                        }
+                        setAppState(
+                            AuthHelper.isAuthAAD()
+                                ? // if AAD is enabled, we need to set the active account before loading chats
+                                  AppState.SettingUserInfo
+                                : // otherwise, we can load chats immediately
+                                  AppState.LoadingChats,
+                        );
                     }}
                 />
             )}
             {appState === AppState.SettingUserInfo && (
                 <Loading text={'Hang tight while we fetch your information...'} />
             )}
             {appState === AppState.ErrorLoadingUserInfo && (
-                <Error text={'Oops, something went wrong. Please try signing out and signing back in.'} />
+                <Error text={'Unable to load user info. Please try signing out and signing back in.'} />
+            )}
+            {appState === AppState.ErrorLoadingChats && (
+                <Error text={'Unable to load chats. Please try refreshing the page.'} />
             )}
-            {appState === AppState.LoadingChats && <Loading text="Loading Chats..." />}
+            {appState === AppState.LoadingChats && <Loading text="Loading chats..." />}
             {appState === AppState.Chat && <ChatView />}
         </div>
     );

webapp/src/Constants.ts

@@ -13,9 +13,7 @@ export const Constants = {
             cacheLocation: 'localStorage',
             storeAuthStateInCookie: false,
         },
-        semanticKernelScopes: ['openid', 'offline_access', 'profile'].concat(
-            (process.env.REACT_APP_AAD_API_SCOPE as string) ? [process.env.REACT_APP_AAD_API_SCOPE as string] : [],
-        ),
+        semanticKernelScopes: ['openid', 'offline_access', 'profile'],
         // MS Graph scopes required for loading user information
         msGraphAppScopes: ['User.ReadBasic.All'],
     },