Move credentials to env file

Author: simonkurtz-MSFT

.gitignore

@@ -22,7 +22,7 @@ labs-in-progress/
 *.log
 
 # Exclude sensitive or generated files
-.env
+.env*
 
 # Coverage data and reports
 .coverage

samples/oauth-3rd-party/README.md

@@ -19,7 +19,7 @@ Sets up a 3rd party integration via [Azure API Management Credential Manager](ht
 
 ## 📝 Scenario
 
-We chose Spotify as it provides an extensive REST API and has relatively generous limits on free API access. This makes for a relatively straight-forward experience for this sample. 
+We chose Spotify as it provides an extensive [REST API](https://developer.spotify.com/documentation/web-api) and has relatively generous limits on free API access. This makes for a relatively straight-forward experience for this sample. 
 Specifically, this sample uses Spotify's REST API to obtain information about its deep music and artist catalog. API Management is registered as an application in Spotify's applications with its own client ID and client secret for a given scope. This application is then set up as a generic OAuth 2.0 integration in Credential Manager.  
 Furthermore, we build on the knowledge gained from the _AuthX_ and _AuthX-Pro_ samples to authentication callers and authorize their use of the Spotify integration. 
 
@@ -58,8 +58,8 @@ In order for API Management to gain access to Spotify's API, we need to create a
     - **Redirect URIs**: https://localhost:8080/callback
         We will update this placeholder once we have the APIM URL.
     - **Which API/SDKs are you planning to use?** _Web API_
-1. Once the app has been created, **note the _Client ID_ and _Client secret_**. We will need them for the Credential Manager setup.
-1. Leave the Dashboard page open in your browser, as we will need to replaec the Redirect URI shortly.
+1. Once the app has been created, copy the _Client ID_ and _Client secret_ into the root `.env` file. We will need them for the Credential Manager setup.
+1. Leave the Dashboard page open in your browser, as we will need to replace the Redirect URI shortly.
 1. Proceed to the [create](./create.ipynb) Jupyter notebook and follow directions there.
 
 ## Acknowledgement

samples/oauth-3rd-party/create.ipynb

@@ -20,8 +20,8 @@
    "outputs": [],
    "source": [
     "import utils\n",
-    "import time\n",
     "from apimtypes import *\n",
+    "import os\n",
     "\n",
     "# 1) User-defined parameters (change these as needed)\n",
     "rg_location   = 'eastus2'\n",
@@ -30,14 +30,18 @@
     "tags          = ['oauth-3rd-party', 'jwt', 'credential-manager', 'policy-fragment']       # ENTER DESCRIPTIVE TAG(S)\n",
     "api_prefix    = 'oauth-3rd-party-'              # OPTIONAL: ENTER A PREFIX FOR THE APIS TO REDUCE COLLISION POTENTIAL WITH OTHER SAMPLES\n",
     "# OAuth\n",
-    "client_id     = 'your-spotify-client-id'        # ENTER THE OAUTH CLIENT ID FOR THE BACKEND API\n",
-    "client_secret = 'your-spotify-client-secret'    # ENTER THE OAUTH CLIENT SECRET FOR THE BACKEND API\n",
+    "client_id     = os.getenv('SPOTIFY_CLIENT_ID')        # ENTER THE OAUTH CLIENT ID FOR THE BACKEND API\n",
+    "client_secret = os.getenv('SPOTIFY_CLIENT_SECRET')    # ENTER THE OAUTH CLIENT SECRET FOR THE BACKEND API\n",
     "\n",
     "# 2) Service-defined parameters (please do not change these)\n",
     "rg_name       = utils.get_infra_rg_name(deployment, index)\n",
     "sample_folder = \"oauth-3rd-party\"\n",
     "nb_helper     = utils.NotebookHelper(sample_folder, rg_name, rg_location, deployment, [INFRASTRUCTURE.AFD_APIM_PE, INFRASTRUCTURE.APIM_ACA, INFRASTRUCTURE.SIMPLE_APIM], True)\n",
     "\n",
+    "if len(client_id) == 0 or len(client_secret) == 0:\n",
+    "    utils.print_error('Please set the SPOTIFY_CLIENT_ID and SPOTIFY_CLIENT_SECRET environment variables in the root .env file before running this notebook.')\n",
+    "    raise ValueError('Missing Spotify OAuth credentials')\n",
+    "\n",
     "# 3) Set up the named values\n",
     "nvs: List[NamedValue] = [\n",
     "    NamedValue(nb_helper.jwt_key_name, nb_helper.jwt_key_value_bytes_b64, True),\n",
@@ -107,10 +111,7 @@
     "if output.json_data:\n",
     "    apim_name = output.get('apimServiceName', 'APIM Service Name')\n",
     "    apim_gateway_url = output.get('apimResourceGatewayURL', 'APIM API Gateway URL')\n",
-    "\n",
-    "    # TODO: This should be retrieved from an output; however, the format is static.\n",
-    "    apim_oauth_redirect_url = f'https://authorization-manager.consent.azure-apim.net/redirect/apim/{apim_name}'\n",
-    "    utils.print_val('APIM OAuth Redirect URL', apim_oauth_redirect_url)\n",
+    "    spotify_oauth_redirect_url = output.get('spotifyOAuthRedirectUrl', 'Spotify OAuth Redirect URL')\n",
     "\n",
     "utils.print_ok('Deployment completed')"
    ]
@@ -175,27 +176,15 @@
     "encoded_jwt_token_marketing_member = AuthFactory.create_symmetric_jwt_token_for_user(UserHelper.get_user_by_role(Role.MARKETING_MEMBER), nb_helper.jwt_key_value)\n",
     "print(f'\\nJWT token for Marketing Member:\\n{encoded_jwt_token_marketing_member}')  # this value is used to call the APIs via APIM\n",
     "\n",
-    "# Issue requests against Front Door.\n",
-    "utils.print_message('Checking if the infrastructure architecture deployment uses Azure Front Door.', blank_above = True)\n",
-    "afd_endpoint_url = utils.get_frontdoor_url(deployment, rg_name)\n",
-    "\n",
-    "if afd_endpoint_url:\n",
-    "    artist_id = '06HL4z0CvFAxyc27GXpf02'    # Taylor Swift's Spotify Artist ID\n",
-    "    reqsAfd = ApimRequests(afd_endpoint_url)\n",
-    "    reqsAfd.headers['Authorization'] = f'Bearer {encoded_jwt_token_marketing_member}'\n",
-    "    output = reqsAfd.singleGet(f'/oauth-3rd-party-spotify/artists/{artist_id}', msg = 'Calling the Spotify Artist API via API Management Gateway URL.')\n",
-    "    artist = json.loads(output)\n",
-    "    tests.verify(artist['name'], 'Taylor Swift')\n",
-    "    utils.print_info(f'{artist[\"name\"]} has a popularity rating of {artist[\"popularity\"]} with {artist[\"followers\"][\"total\"]:,} followers on Spotify.')\n",
-    "else:\n",
-    "    # Issue a direct request to API Management\n",
-    "    artist_id = '6XpaIBNiVzIetEPCWDvAFP'    # Whitney Houston's Spotify Artist ID\n",
-    "    reqsApim = ApimRequests(apim_gateway_url)\n",
-    "    reqsApim.headers['Authorization'] = f'Bearer {encoded_jwt_token_marketing_member}'\n",
-    "    output = reqsApim.singleGet(f'/oauth-3rd-party-spotify/artists/{artist_id}', msg = 'Calling the Spotify Artist API via API Management Gateway URL.')\n",
-    "    artist = json.loads(output)\n",
-    "    tests.verify(artist['name'], 'Whitney Houston')\n",
-    "    utils.print_info(f'{artist[\"name\"]} has a popularity rating of {artist[\"popularity\"]} with {artist[\"followers\"][\"total\"]:,} followers on Spotify.')\n",
+    "# Preflight: Check if the infrastructure architecture deployment uses Azure Front Door. If so, assume that APIM is not directly accessible and use the Front Door URL instead.\n",
+    "endpoint_url = utils.test_url_preflight_check(deployment, rg_name, apim_gateway_url)\n",
+    "reqs = ApimRequests(endpoint_url)\n",
+    "reqs.headers['Authorization'] = f'Bearer {encoded_jwt_token_marketing_member}'\n",
+    "artist_id = '06HL4z0CvFAxyc27GXpf02'    # Taylor Swift's Spotify Artist ID\n",
+    "output = reqs.singleGet(f'/oauth-3rd-party-spotify/artists/{artist_id}', msg = 'Calling the Spotify Artist API via API Management Gateway URL.')\n",
+    "artist = json.loads(output)\n",
+    "tests.verify(artist['name'], 'Taylor Swift')\n",
+    "utils.print_info(f'{artist[\"name\"]} has a popularity rating of {artist[\"popularity\"]} with {artist[\"followers\"][\"total\"]:,} followers on Spotify.')\n",
     "\n",
     "tests.print_summary()\n",
     "\n",

samples/oauth-3rd-party/main.bicep

@@ -155,3 +155,4 @@ module apisModule '../../shared/bicep/modules/apim/v1/api.bicep' = [for api in a
 output apimServiceId string = apimService.id
 output apimServiceName string = apimService.name
 output apimResourceGatewayURL string = apimService.properties.gatewayUrl
+output spotifyOAuthRedirectUrl string = spotifyAuthorizationProvider.properties.oauth2.redirectUrl

setup/setup_python_path.py

@@ -99,6 +99,8 @@ def generate_env_file() -> None:
     env_content = f"""# Auto-generated PYTHONPATH for VS Code - Run 'python setup/setup_python_path.py' to regenerate
 PROJECT_ROOT={project_root}
 PYTHONPATH={shared_python_path}
+SPOTIFY_CLIENT_ID=
+SPOTIFY_CLIENT_SECRET=
 """
 
     env_file_path = project_root / '.env'
@@ -109,9 +111,11 @@ def generate_env_file() -> None:
         f.write(env_content)
 
     print()
-    print(f"Generated .env file : {env_file_path}")
-    print(f"PROJECT_ROOT        : {project_root}")
-    print(f"PYTHONPATH          : {shared_python_path}\n")
+    print(f"Generated .env file   : {env_file_path}")
+    print(f"PROJECT_ROOT          : {project_root}")
+    print(f"PYTHONPATH            : {shared_python_path}")
+    print(f"SPOTIFY_CLIENT_ID     : ")
+    print(f"SPOTIFY_CLIENT_SECRET : \n")
 
 
 def install_jupyter_kernel():