Add built-in auth files

Author: pamelafox

infra/aca.bicep

@@ -50,7 +50,7 @@ module app 'core/host/container-app-upsert.bicep' = {
   }
 }
 
-output SERVICE_ACA_IDENTITY_PRINCIPAL_ID string = acaIdentity.properties.principalId
-output SERVICE_ACA_NAME string = app.outputs.name
-output SERVICE_ACA_URI string = app.outputs.uri
-output SERVICE_ACA_IMAGE_NAME string = app.outputs.imageName
+output identityPrincipalId string = acaIdentity.properties.principalId
+output name string = app.outputs.name
+output uri string = app.outputs.uri
+output imageName string = app.outputs.imageName

infra/appregistration.bicep

@@ -0,0 +1,91 @@
+extension microsoftGraphV1
+
+@description('Specifies the name of cloud environment to run this deployment in.')
+param cloudEnvironment string = environment().name
+
+// NOTE: Microsoft Graph Bicep file deployment is only supported in Public Cloud
+@description('Audience uris for public and national clouds')
+param audiences object = {
+  AzureCloud: {
+    uri: 'api://AzureADTokenExchange'
+  }
+  AzureUSGovernment: {
+    uri: 'api://AzureADTokenExchangeUSGov'
+  }
+  USNat: {
+    uri: 'api://AzureADTokenExchangeUSNat'
+  }
+  USSec: {
+    uri: 'api://AzureADTokenExchangeUSSec'
+  }
+  AzureChinaCloud: {
+    uri: 'api://AzureADTokenExchangeChina'
+  }
+}
+
+@description('Specifies the ID of the user-assigned managed identity.')
+param webAppIdentityId string
+
+@description('Specifies the unique name for the client application.')
+param clientAppName string
+
+@description('Specifies the display name for the client application')
+param clientAppDisplayName string
+
+@description('Specifies the scopes that the client application requires.')
+param clientAppScopes array = ['User.Read', 'offline_access', 'openid', 'profile']
+
+param serviceManagementReference string = ''
+
+param issuer string
+
+param webAppEndpoint string
+
+// Get the MS Graph Service Principal based on its application ID:
+// https://learn.microsoft.com/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in
+var msGraphAppId = '00000003-0000-0000-c000-000000000000'
+resource msGraphSP 'Microsoft.Graph/[email protected]' existing = {
+  appId: msGraphAppId
+}
+
+var graphScopes = msGraphSP.oauth2PermissionScopes
+resource clientApp 'Microsoft.Graph/[email protected]' = {
+  uniqueName: clientAppName
+  displayName: clientAppDisplayName
+  signInAudience: 'AzureADMyOrg'
+  serviceManagementReference: empty(serviceManagementReference) ? null : serviceManagementReference
+  web: {
+    redirectUris: [
+      'http://localhost:50505/.auth/login/aad/callback'
+      '${webAppEndpoint}/.auth/login/aad/callback'
+    ]
+    implicitGrantSettings: { enableIdTokenIssuance: true }
+  }
+  requiredResourceAccess: [
+    {
+      resourceAppId: msGraphAppId
+      resourceAccess: [
+        for (scope, i) in clientAppScopes: {
+          id: filter(graphScopes, graphScopes => graphScopes.value == scope)[0].id
+          type: 'Scope'
+        }
+      ]
+    }
+  ]
+
+  resource clientAppFic '[email protected]' = {
+    name: '${clientApp.uniqueName}/miAsFic'
+    audiences: [
+      audiences[cloudEnvironment].uri
+   ]
+    issuer: issuer
+    subject: webAppIdentityId
+  }
+}
+
+resource clientSp 'Microsoft.Graph/[email protected]' = {
+  appId: clientApp.appId
+}
+
+output clientAppId string = clientApp.appId
+output clientSpId string = clientSp.id

infra/appupdate.bicep

@@ -0,0 +1,60 @@
+metadata description = 'Creates an Azure Container Apps Auth Config using Microsoft Entra as Identity Provider.'
+
+@description('The name of the container apps resource within the current resource group scope')
+param containerAppName string
+
+@description('The client ID of the Microsoft Entra application.')
+param clientId string
+
+param openIdIssuer string
+
+@description('Enable token store for the Container App.')
+param includeTokenStore bool = false
+
+@description('The URI of the Azure Blob Storage container to be used for token storage.')
+param blobContainerUri string = ''
+@description('The resource ID of the managed identity to be used for accessing the Azure Blob Storage.')
+param appIdentityResourceId string = ''
+
+resource app 'Microsoft.App/containerApps@2023-05-01' existing = {
+  name: containerAppName
+}
+
+resource auth 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = {
+  parent: app
+  name: 'current'
+  properties: {
+    platform: {
+      enabled: true
+    }
+    globalValidation: {
+      redirectToProvider: 'azureactivedirectory'
+      unauthenticatedClientAction: 'RedirectToLoginPage'
+    }
+    identityProviders: {
+      azureActiveDirectory: {
+        enabled: true
+        registration: {
+          clientId: clientId
+          clientSecretSettingName: 'override-use-mi-fic-assertion-client-id'
+          openIdIssuer: openIdIssuer
+        }
+        validation: {
+          defaultAuthorizationPolicy: {
+            allowedApplications: []
+          }
+        }
+      }
+    }
+    login: {
+      // https://learn.microsoft.com/azure/container-apps/token-store
+      tokenStore: {
+        enabled: includeTokenStore
+        azureBlobStorage: includeTokenStore ? {
+          blobContainerUri: blobContainerUri
+          managedIdentityResourceId: appIdentityResourceId
+        } : {}
+      }
+    }
+  }
+}

infra/bicepconfig.json

@@ -0,0 +1,9 @@
+{
+    "experimentalFeaturesEnabled": {
+        "extensibility": true
+    },
+    // specify an alias for the version of the v1.0 dynamic types package you want to use
+    "extensions": {
+      "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.1.8-preview"
+    }
+}

infra/main.bicep

@@ -38,6 +38,8 @@ param disableKeyBasedAuth bool = true
 // Parameters for the specific Azure AI deployment:
 param aiServicesDeploymentName string = 'DeepSeek-R1'
 
+@description('Service Management Reference for the Entra app registration')
+param serviceManagementReference string = ''
 
 var resourceToken = toLower(uniqueString(subscription().id, name, location))
 var tags = { 'azd-env-name': name }
@@ -131,12 +133,37 @@ module aca 'aca.bicep' = {
   }
 }
 
+/*var issuer = '${environment().authentication.loginEndpoint}${tenant().tenantId}/v2.0'
+module registration 'appregistration.bicep' = {
+  name: 'reg'
+  scope: resourceGroup
+  params: {
+    clientAppName: '${prefix}-entra-client-app'
+    clientAppDisplayName: 'DeepSeek Entra Client App'
+    webAppEndpoint: aca.outputs.uri
+    webAppIdentityId: aca.outputs.identityPrincipalId
+    issuer: issuer
+    serviceManagementReference: serviceManagementReference
+  }
+}*/
+
+/*module appupdate 'appupdate.bicep' = {
+  name: 'appupdate'
+  scope: resourceGroup
+  params: {
+    containerAppName: aca.outputs.name
+    clientId: registration.outputs.clientAppId
+    openIdIssuer: issuer
+    includeTokenStore: false
+  }
+}*/
+
 
 module aiServicesRoleBackend 'core/security/role.bicep' = {
   scope: aiServicesResourceGroup
   name: 'aiservices-role-backend'
   params: {
-    principalId: aca.outputs.SERVICE_ACA_IDENTITY_PRINCIPAL_ID
+    principalId: aca.outputs.identityPrincipalId
     roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908'
     principalType: 'ServicePrincipal'
   }
@@ -148,10 +175,10 @@ output AZURE_TENANT_ID string = tenant().tenantId
 output AZURE_DEEPSEEK_DEPLOYMENT string = aiServicesDeploymentName
 output AZURE_INFERENCE_ENDPOINT string = 'https://${aiServices.outputs.name}.services.ai.azure.com/models'
 
-output SERVICE_ACA_IDENTITY_PRINCIPAL_ID string = aca.outputs.SERVICE_ACA_IDENTITY_PRINCIPAL_ID
-output SERVICE_ACA_NAME string = aca.outputs.SERVICE_ACA_NAME
-output SERVICE_ACA_URI string = aca.outputs.SERVICE_ACA_URI
-output SERVICE_ACA_IMAGE_NAME string = aca.outputs.SERVICE_ACA_IMAGE_NAME
+output SERVICE_ACA_IDENTITY_PRINCIPAL_ID string = aca.outputs.identityPrincipalId
+output SERVICE_ACA_NAME string = aca.outputs.name
+output SERVICE_ACA_URI string = aca.outputs.uri
+output SERVICE_ACA_IMAGE_NAME string = aca.outputs.imageName
 
 output AZURE_CONTAINER_ENVIRONMENT_NAME string = containerApps.outputs.environmentName
 output AZURE_CONTAINER_REGISTRY_ENDPOINT string = containerApps.outputs.registryLoginServer

infra/main.parameters.json

@@ -19,6 +19,9 @@
       },
       "disableKeyBasedAuth": {
         "value": "${DISABLE_KEY_BASED_AUTH=true}"
+      },
+      "serviceManagementReference": {
+        "value": "${AZURE_SERVICE_MANAGEMENT_REFERENCE}"
       }
     }
   }