Share via

RBAC on Azure Cognitive Search with user authentication

Adrien O'Hana 15 Reputation points
2023-11-02T11:26:57.31+00:00

I'm building a webapp where users first log-in via the microsoft identity provider, and depending on their assigned "Search Index Contributor" roles they can or can not access some indexes in an azure cognitive search service.

When testing locally, I obtain a credential using the InteractiveBrowserCredential. I then use this credential to access a search service index, if the user has not been given the appropriate role the request return an error, otherwise i can freely search through the index.

This all works perfectly when testing locally. i get the token only once at the start and then can use the credential with azure search python sdk. 

credential = InteractiveBrowserCredential()
credential.get_token("https://search.azure.com/.default")

Now I'm deploying this on an azure webapp. Aside from the app registration configurations, redirect link and access token, which i've successfully implemented, how can i convert an access token and expiration date into a credential object that works exactly the same as the interactivebrowsercredential ?

Azure AI Search
Azure AI Search
An Azure search service with built-in artificial intelligence capabilities that enrich information to help identify and explore relevant content at scale.
1,349 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adrien O'Hana 15 Reputation points
    2023-11-16T11:53:13.7+00:00

    I finally managed to find a solution. 

    class SimpleTokenCredential(TokenCredential):
    """Implements a simple token credential for use with Azure SDK clients."""

    def __init__(self, token, expires_on):
        self.token = token
        if isinstance(expires_on, str):
            self.expires_on = (
                datetime.fromisoformat(expires_on.rstrip("Z"))
                .replace(tzinfo=pytz.utc)
                .timestamp()
            )

    def get_token(self, *scopes, **kwargs):
        # Assuming that 'expires_on' is a datetime object representing the expiration time
        expiration_epoch = int(self.expires_on)
        return AccessToken(self.token, expiration_epoch)
    1 person found this answer helpful.
  2. SnehaAgrawal-MSFT 22,706 Reputation points Moderator
    2024-01-22T09:27:38.0933333+00:00

    Glad that you were able to resolve your issue and I appreciate your effort in sharing the solution. Your contribution will undoubtedly assist others facing similar challenges. Reposting- Solution- 

    class SimpleTokenCredential(TokenCredential):
    """Implements a simple token credential for use with Azure SDK clients."""

    def __init__(self, token, expires_on):
        self.token = token
        if isinstance(expires_on, str):
            self.expires_on = (
                datetime.fromisoformat(expires_on.rstrip("Z"))
                .replace(tzinfo=pytz.utc)
                .timestamp()
            )

    def get_token(self, *scopes, **kwargs):
        # Assuming that 'expires_on' is a datetime object representing the expiration time
        expiration_epoch = int(self.expires_on)
        return AccessToken(self.token, expiration_epoch)

    As the [Microsoft Q&A community follows a policy where the question author cannot accept their own answer] {https://learn.microsoft.com/en-us/answers/support/accept-answer} , I've reposted your solution.  Feel free to consider "Accepting" the answer if you find it suitable.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.