Merge pull request #265898 from dlepow/aoai

[APIM] Auth to Azure OpenAI API

Author: Stacyrch140

articles/api-management/TOC.yml

@@ -209,6 +209,10 @@
       href: grpc-api.md
     - name: Azure OpenAI
       items:
+      - name: Import Azure OpenAI API as REST API
+        href: azure-openai-api-from-specification.md
+      - name: Authenticate and authorize to Azure OpenAI
+        href: api-management-authenticate-authorize-azure-openai.md
       - name: Protect Azure OpenAI keys
         href: /semantic-kernel/deploy/use-ai-apis-with-api-management?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json
     - name: Configure API for SSE

articles/api-management/api-management-authenticate-authorize-azure-openai.md

@@ -0,0 +1,161 @@
+---
+title: Authenticate to Azure OpenAI API - Azure API Management
+titleSuffix: Azure API Management
+description: Options to authenticate and authorize to Azure OpenAI APIs using Azure API Management. Includes API key, managed identity, and OAuth 2.0 authorization.
+author: dlepow
+ms.service: api-management
+ms.topic: article
+ms.date: 02/20/2024
+ms.author: danlep
+---
+
+# Authenticate and authorize access to Azure OpenAI APIs using Azure API Management 
+
+In this article, you learn about ways to authenticate and authorize to Azure OpenAI API endpoints that are managed using Azure API Management. This article shows the following common methods:
+
+* **Authentication** - Authenticate to an Azure OpenAI API using policies that authenticate using either an API key or a Microsoft Entra ID managed identity.
+
+* **Authorization** - For more fine-grained access control, preauthorize requests that pass OAuth 2.0 tokens generated by an identity provider such as Microsoft Entra ID.
+
+For background, see:
+
+* [Azure OpenAI Service REST API reference](/azure/ai-services/openai/reference)
+
+* [Authentication and authorization to APIs in API Management](authentication-authorization-overview.md).
+
+## Prerequisites
+
+Before following the steps in this article, you must have:
+
+- An API Management instance. For example steps, see [Create an Azure API Management instance](get-started-create-service-instance.md).
+- An Azure OpenAI resource and model added to your API Management instance. For example steps, see [Import an Azure OpenAI API as a REST API](azure-openai-api-from-specification.md).
+- Permissions to create an app registration in an identity provider such as a Microsoft Entra tenant associated with your Azure subscription (for OAuth 2.0 authorization).
+
+## Authenticate with API key
+
+A default way to authenticate to an Azure OpenAI API is by using an API key. For this type of authentication, all API requests must include a valid API key in the `api-key` HTTP header.
+
+* API Management can manage the API key in a secure way, by using a [named value](api-management-howto-properties.md). 
+* The named value can then be referenced in an API policy to set the `api-key` header in requests to the Azure OpenAI API. We provide two examples of how to do this: one uses the [`set-backend-service`](set-backend-service-policy.md) policy, and the other uses the [`set-header`](set-header-policy.md) policy.
+
+### Store the API key in a named value
+
+1. Obtain an API key from the Azure OpenAI resource. In the Azure portal, find a key on the **Keys and Endpoint** page of the Azure OpenAI resource.
+1. Go to your API Management instance, and select **Named values** in the left menu.
+1. Select **+ Add**, and add the value as a secret, or optionally for more security, use a [key vault reference](api-management-howto-properties.md#key-vault-secrets).
+
+### Pass the API key in API requests - set-backend-service policy
+
+1. Create a [backend](backends.md) that points to the Azure OpenAI API.
+    1. In the left menu of your API Management instance, select **Backends**.
+    1. Select **+ Add**, and enter a descriptive name for the backend. Example: *openai-backend*.
+    1. Under **Type**, select **Custom**, and enter the URL of the Azure OpenAI endpoint. Example: `https://contoso.openai.azure.com/openai`.
+    1. Under **Authorization credentials**, select **Headers**, and enter *api-key* as the header name and the named value as the value.
+    1. Select **Create**.
+1. Add the following `set-backend-service` policy snippet in the `inbound` policy section to pass the API key in requests to the Azure OpenAI API. 
+
+    In this example, the backend resource is *openai-backend*.
+
+    ```xml
+    <set-backend-service backend-id="openai-backend" />
+    ```
+
+### Pass the API key in API requests - set-header policy
+
+Alternatively, add the following `set-header` policy snippet in the `inbound` policy section to pass the API key in requests to the Azure OpenAI API. This policy snippet sets the `api-key` header with the named value that you set up. 
+
+In this example, the named value in API Management is *openai-api-key*.
+
+```xml
+<set-header name="api-key" exists-action="override">
+    <value>{{openai-api-key}}</value>
+</set-header>
+```
+
+
+## Authenticate with managed identity
+
+An alternative way to authenticate to an Azure OpenAI API by using a managed identity in Microsoft Entra ID. For background, see
+[How to configure Azure OpenAI Service with managed identity](../ai-services/openai/how-to/managed-identity.md).
+
+Following are steps to configure your API Management instance to use a managed identity to authenticate requests to an Azure OpenAI API. 
+
+1. [Enable](api-management-howto-use-managed-service-identity.md) a system-assigned or user-assigned managed identity for your API Management instance. The following example assumes that you've enabled the instance's system-assigned managed identity.
+
+1. Assign the managed identity the **Cognitive Services OpenAI User** role, scoped to the appropriate resource. For example, assign the system-assigned managed identity the **Cognitive Services OpenAI User** role on the Azure OpenAI resource. For detailed steps, see [Role-based access control for Azure OpenAI service](../ai-services/openai/how-to/role-based-access-control.md).
+
+1. Add the following policy snippet in the `inbound` policy section to authenticate requests to the Azure OpenAI API using the managed identity. 
+
+    In this example:
+    
+    * The [`authentication-managed-identity`](authentication-managed-identity-policy.md) policy obtains an access token for the managed identity. 
+    * The [`set-header`](set-header-policy.md) policy sets the `Authorization` header of the request with the access token. 
+
+    ```xml
+    <authentication-managed-identity resource="https://cognitiveservices.azure.com" output-token-variable-name="managed-id-access-token" ignore-error="false" /> 
+    <set-header name="Authorization" exists-action="override"> 
+        <value>@("Bearer " + (string)context.Variables["managed-id-access-token"])</value> 
+    </set-header> 
+    ```
+
+## OAuth 2.0 authorization using identity provider
+
+To enable more fine-grained access to OpenAPI APIs by particular users or clients, you can preauthorize access to the Azure OpenAI API using OAuth 2.0 authorization with Microsoft Entra ID or another identity provider. For background, see [Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md).
+
+> [!NOTE]
+> Use OAuth 2.0 authorization as part of a defense-in-depth strategy. It's not a replacement for API key authentication or managed identity authentication to an Azure OpenAI API.
+
+Following are high level steps to restrict API access to users or apps that are authorized using an identity provider.  
+
+1. Create an application in your identity provider to represent the OpenAI API in Azure API Management. If you're using Microsoft Entra ID, [register](api-management-howto-protect-backend-with-aad.md#register-an-application-in-microsoft-entra-id-to-represent-the-api) an application in your Microsoft Entra ID tenant. Record details such as the application ID and the audience URI.
+
+    As needed, configure the application to have roles or scopes that represent the fine-grained permissions needed to access the Azure OpenAI API.
+
+1. Add an `inbound` policy snippet in your API Management instance to validate requests that present a JSON web token (JWT) in the `Authorization` header. Place this snippet *before* other `inbound` policies that you set to authenticate to the Azure OpenAI API. 
+
+    > [!NOTE]
+    > The following examples show the general structure of the policies to validate a JWT. Customize them to your identity provider and the requirements of your application and API.
+
+    * **validate-azure-ad-token** - If you use Microsoft Entra ID, configure the `validate-azure-ad-token` policy to validate the audience and claims in the JWT. For details, see the [policy reference](validate-azure-ad-token-policy.md).
+
+        ```xml
+        <validate-azure-ad-token tenant-id={{TENANT_ID}} header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
+            <client-application-ids>
+                    <application-id>{{CLIENT_APP_ID}}</application-id>
+            </client-application-ids>
+           <audiences>
+                <audience>...</audience> 
+            </audiences>
+            <required-claims>
+                <claim name=...>
+                    <value>...</value>
+                </claim>
+            </required-claims>
+        </validate-azure-ad-token>
+        ```
+
+
+    * **validate-jwt** - If you use another identity provider, configure the `validate-jwt` policy to validate the audience and claims in the JWT. For details, see the [policy reference](validate-jwt-policy.md).
+
+        ```xml
+        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
+            <openid-config url={{OPENID_CONFIGURATION_URL}} />
+            <issuers>
+                <issuer>{{ISSUER_URL}}</issuer>
+            </issuers>
+            <audiences>
+                <audience>...</audience> 
+            </audiences>
+            <required-claims>
+                <claim name=...>
+                    <value>...</value>
+                </claim>
+            </required-claims>
+        </validate-jwt>
+        ```
+    
+## Related content
+
+* Learn more about [Microsoft Entra ID and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md).  
+* [Authenticate requests to Azure AI services](../ai-services/authentication.md)
+* [Protect Azure OpenAI keys with API Management](/semantic-kernel/deploy/use-ai-apis-with-api-management?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)

articles/api-management/azure-openai-api-from-specification.md

@@ -0,0 +1,67 @@
+---
+title: Import an Azure OpenAI API as REST API - Azure API Management
+description: How to import an Azure OpenAI API as a REST API from its OpenAPI specification.
+ms.service: api-management
+author: dlepow
+ms.author: danlep
+ms.topic: how-to
+ms.date: 02/22/2024
+ms.custom: template-how-to
+---
+
+# Import an Azure OpenAI API as a REST API
+
+This article shows how to import an [Azure OpenAI](/azure/ai-services/openai/overview) API into an Azure API Management instance from its OpenAPI specification. After importing the API as a REST API, you can manage and secure it, and publish it to developers.
+
+## Prerequisites
+
+- An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md).
+- Access granted to Azure OpenAI in the desired Azure subscription.
+    You can apply for access to Azure OpenAI by completing the form at https://aka.ms/oai/access. Open an issue on this repo to contact us if you have an issue.
+- An Azure OpenAI resource with a model deployed. For more information about model deployment, see the [resource deployment guide](../ai-services/openai/how-to/create-resource.md).
+
+    Make a note of the deployment ID (name). You'll need it when you test the imported API in API Management.
+
+## Download the OpenAPI specification
+
+Download the OpenAPI specification for an endpoint that your model supports. For example, download the OpenAPI specification for the [chat completion endpoint](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/cognitiveservices/data-plane/AzureOpenAI/inference/stable/2023-05-15/inference.json) of the GPT-35-Turbo and GPT-4 models.
+
+1. In a text editor, open the specification file that you downloaded.
+1. In the `servers` element in the specification, substitute the name of your Azure OpenAI resource endpoint for the placeholder values in the specification. The following example `servers` element is updated with the `contoso.openai.azure.com` resource endpoint.
+    ```json
+    [...]
+    "servers": [
+        {
+          "url": "https://contoso.openai.azure.com/openai",
+          "variables": {
+            "endpoint": {
+              "default": "contoso.openai.azure.com"
+            }
+          }
+        }
+      ],
+    [...]
+    ```
+1. Make a note of the value of the API `version` in the specification. You'll need it to test the API. Example: `2023-05-15`.
+
+## Add OpenAPI specification to API Management
+
+
+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
+1. In the left menu, select **APIs** > **+ Add API**.
+1. Under **Define a new API**, select **OpenAPI**. Enter a **Display name** and **Name** for the API and enter an **API URL suffix**.  
+1. Select **Create**.
+
+The API is imported and displays operations from the OpenAPI specification.
+
+[!INCLUDE [api-management-test-api-portal](../../includes/api-management-test-api-portal.md)]
+
+> [!IMPORTANT]
+> Authentication to the OpenAI API requires an API key or a managed identity. To configure authentication using API Management policies, see [Authenticate and authorize to Azure OpenAI API](api-management-authenticate-authorize-azure-openai.md).
+
+[!INCLUDE [api-management-define-api-topics.md](../../includes/api-management-define-api-topics.md)]
+
+## Related content
+
+* [Azure OpenAI Service as a central capability with Azure API Management](/samples/azure/enterprise-azureai/enterprise-azureai/)
+* [Azure API Management - Azure OpenAI sample](https://github.com/galiniliev/apim-azure-openai-sample)