Statnett-255: Frontend app as a separate app, which is registered

Author: nelly-hateva

docs/FastAPI.md

@@ -69,12 +69,14 @@ The `version` information is included in the response from the `/__about` endpoi
 
 * `SECURITY_ENABLED` - OPTIONAL, DEFAULT=False, Exposed to the UI - Indicates if security is enabled.
 * `SECURITY_CLIENT_ID` - REQUIRED iff `SECURITY_ENABLED=True`, Exposed to the UI - The registered application (client) ID.
+* `SECURITY_FRONTEND_APP_CLIENT_ID` - REQUIRED iff `SECURITY_ENABLED=True`, Exposed to the UI - The registered frontend application (client) ID.
 * `SECURITY_AUTHORITY` - REQUIRED iff `SECURITY_ENABLED=True`, Exposed to the UI - The authority URL used for authentication.
 * `SECURITY_LOGOUT` - REQUIRED iff `SECURITY_ENABLED=True`, Exposed to the UI - The logout endpoint URL.
 * `SECURITY_LOGIN_REDIRECT` - REQUIRED iff `SECURITY_ENABLED=True`, Exposed to the UI - The URL to redirect to after a successful login.
 * `SECURITY_LOGOUT_REDIRECT` - REQUIRED iff `SECURITY_ENABLED=True`, Exposed to the UI - The URL to redirect to after logout.
 * `SECURITY_OIDC_DISCOVERY_URL` - OPTIONAL, DEFAULT=`{SECURITY_AUTHORITY}/v2.0/.well-known/openid-configuration` - OpenID Connect Discovery URL.
 * `SECURITY_AUDIENCE` - REQUIRED iff `SECURITY_ENABLED=True` - The expected audience of the security tokens.
+* `SECURITY_ISSUER` - REQUIRED iff `SECURITY_ENABLED=True` - The expected issuer of the security tokens.
 * `SECURITY_TTL` - OPTIONAL, DEFAULT=`86400` seconds (24 hours), must be >= 1 - Indicates how many seconds to cache the public keys and the issuer obtained from the OpenID Configuration endpoint.
 According to [the Azure documentation](https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens) a reasonable frequency to check for updates to the public keys used by Microsoft Entra ID is every 24 hours.
 

src/talk2powersystemllm/app/models/auth.py

@@ -4,6 +4,8 @@
 class AuthConfig(BaseModel):
     enabled: bool
     client_id: str | None = Field(alias="clientId")
+    frontend_app_client_id: str | None = Field(alias="frontendAppClientId")
+    scopes: list[str] | None
     authority: str | None
     logout: str | None
     login_redirect: str | None = Field(alias="loginRedirect")

src/talk2powersystemllm/app/server/auth.py

@@ -15,7 +15,7 @@
 security_scheme = HTTPBearer(auto_error=False)
 
 
-def get_jwks_uri_and_issuer() -> tuple[str, str]:
+def get_jwks_uri() -> str:
     try:
         oid_config = requests.get(settings.security.oidc_discovery_url)
         oid_config.raise_for_status()
@@ -29,15 +29,13 @@ def get_jwks_uri_and_issuer() -> tuple[str, str]:
     json_response_body = oid_config.json()
     if "jwks_uri" not in json_response_body:
         raise HTTPException(status_code=500, detail="jwks_uri not found in the OpenID Configuration")
-    if "issuer" not in json_response_body:
-        raise HTTPException(status_code=500, detail="issuer not found in the OpenID Configuration")
 
-    return json_response_body["jwks_uri"], json_response_body["issuer"]
+    return json_response_body["jwks_uri"]
 
 
 @cached(cache=TTLCache(maxsize=1, ttl=settings.security.ttl))
-def get_jwks_keys_and_issuer() -> tuple[dict, str]:
-    jwks_uri, issuer = get_jwks_uri_and_issuer()
+def get_jwks_keys() -> dict:
+    jwks_uri = get_jwks_uri()
     try:
         keys = requests.get(jwks_uri)
         keys.raise_for_status()
@@ -47,17 +45,17 @@ def get_jwks_keys_and_issuer() -> tuple[dict, str]:
             exc_info=err
         )
         raise HTTPException(status_code=500, detail="Fail to get issuer keys")
-    return keys.json(), issuer
+    return keys.json()
 
 
 def verify_jwt(token: str):
-    jwks_keys, issuer = get_jwks_keys_and_issuer()
+    jwks_keys = get_jwks_keys()
     try:
         return jwt.decode(
             token,
             jwks_keys,
             audience=settings.security.audience,
-            issuer=issuer,
+            issuer=settings.security.issuer,
         )
     except ExpiredSignatureError as e:
         logging.warning("Expired Signature", exc_info=e)

src/talk2powersystemllm/app/server/config.py

@@ -17,6 +17,10 @@ class SecuritySettings(BaseSettings):
         default=None,
         description="The registered application (client) ID. The value is also exposed to the UI."
     )
+    frontend_app_client_id: str | None = Field(
+        default=None,
+        description="The registered frontend application (client) ID. The value is also exposed to the UI."
+    )
     oidc_discovery_url: str | None = Field(
         default=None,
         description="OpenID Connect Discovery URL."
@@ -25,6 +29,10 @@ class SecuritySettings(BaseSettings):
         default=None,
         description="The expected audience of the security tokens"
     )
+    issuer: str | None = Field(
+        default=None,
+        description="The expected issuer of the security tokens"
+    )
     ttl: int = Field(
         default=86400,
         ge=1,
@@ -51,11 +59,12 @@ class SecuritySettings(BaseSettings):
 
     @model_validator(mode="after")
     def check_required_fields_and_set_default_oidc_discovery_url(self) -> "SecuritySettings":
-        if self.enabled and ((not self.client_id) or (not self.authority)
-                             or (not self.logout) or (not self.login_redirect) or (not self.logout_redirect)
-                             or (not self.audience)):
+        if self.enabled and ((not self.client_id) or (not self.frontend_app_client_id) or (not self.authority)
+                             or (not self.issuer) or (not self.logout) or (not self.login_redirect)
+                             or (not self.logout_redirect) or (not self.audience)):
             raise ValueError("If security is enabled, the following fields are required: "
-                             "client_id, authority, logout, login_redirect, logout_redirect, audience!")
+                             "client_id, frontend_app_client_id, authority, logout, "
+                             "login_redirect, logout_redirect, audience!")
         if self.enabled and not self.oidc_discovery_url:
             self.oidc_discovery_url = (
                 self.authority.rstrip("/") + "/v2.0/.well-known/openid-configuration"

src/talk2powersystemllm/app/server/main.py

@@ -127,7 +127,7 @@ async def lifespan(_: FastAPI):
                 authority=settings.security.authority,
                 client_credential=agent_factory.settings.tools.cognite.client_secret,
             )
-            COGNITE_SCOPES = [f"{agent_factory.settings.tools.cognite.base_url}/.default", "offline_access"]
+            COGNITE_SCOPES = [f"{agent_factory.settings.tools.cognite.base_url}/.default"]
 
         GraphDBHealthchecker(agent_factory.graphdb_client)
 
@@ -410,6 +410,8 @@ async def get_auth_config(
     return AuthConfig(
         enabled=settings.security.enabled,
         clientId=settings.security.client_id,
+        frontendAppClientId=settings.security.frontend_app_client_id,
+        scopes=["openid", "profile", f"{settings.security.audience}/.default"],
         authority=settings.security.authority,
         logout=settings.security.logout,
         loginRedirect=settings.security.login_redirect,
@@ -474,7 +476,7 @@ async def conversations(
     claims=Depends(conditional_security),
 ) -> ChatResponse:
     cognite_obo_token = None
-    if settings.security.enabled and agent_factory.settings.tools.cognite.client_secret:
+    if settings.security.enabled and agent_factory.settings.tools.cognite and agent_factory.settings.tools.cognite.client_secret:
         token_result = exchange_obo_for_cognite(authorization)
         cognite_obo_token = token_result["access_token"]
 

src/talk2powersystemllm/app/trouble.md

@@ -67,6 +67,17 @@ Response Body JSON Schema:
     "clientId": {
       "type": "string"
     },
+    "frontendAppClientId": {
+      "type": "string"
+    },
+    "scopes": {
+      "type": "array",
+      "items": [
+        {
+          "type": "string"
+        }
+      ]
+    },
     "authority": {
       "type": "string"
     },
@@ -91,11 +102,17 @@ Sample Response Body:
 ```json
 {
   "enabled": true,
-  "clientId": "6f8c5e30-b4b4-4b78-bdba-0ac5f5947fb6",
+  "clientId": "7b9f2087-68f1-45fe-a21d-023daedd4047",
+  "frontendAppClientId": "10acd638-f239-4aa2-8186-761512253325",
+  "scopes": [
+    "openid",
+    "profile",
+    "api://7b9f2087-68f1-45fe-a21d-023daedd4047/.default"
+  ],
   "authority": "https://login.microsoftonline.com/519ed184-e4d5-4431-97e5-fb4410a3f875",
-  "logout": "https://login.microsoftonline.com/519ed184-e4d5-4431-97e5-fb4410a3f875/oauth2/logout",
-  "loginRedirect": "http://localhost:3000",
-  "logoutRedirect": "http://localhost:3000/login"
+  "logout": "https://login.microsoftonline.com/519ed184-e4d5-4431-97e5-fb4410a3f875/oauth2/v2.0/logout",
+  "loginRedirect": "http://localhost:3000/",
+  "logoutRedirect": "http://localhost:3000/"
 }
 ```