Support Azure Identity to eliminate plain text password and key

George_Hu · November 28, 2024, 2:06pm

The idea is:

Protect system integration in product deployment is critical for enterprise security. We need support Managed Identity instead of using plan key text.
As using key is a risk for attack. Following is an example for eliminate using key , instead we just using managed identity in Azure OpenAI GPT instance with DefaultAzureCredential(). This will reduce attack and improve quality and security.
we need n8n to support this as a model how to care client’s system protection. Azure OpenAI with AAD Auth — AutoGen

from autogen_ext.models import AzureOpenAIChatCompletionClient
from azure.identity import DefaultAzureCredential, get_bearer_token_provider

Create the token provider

token_provider = get_bearer_token_provider(
DefaultAzureCredential(), “https://cognitiveservices.azure.com/.default”
)

client = AzureOpenAIChatCompletionClient(
azure_deployment=“{your-azure-deployment}”,
model=“{model-name, such as gpt-4o}”,
api_version=“2024-02-01”,
azure_endpoint=“https://{your-custom-endpoint}.openai.azure.com/”,
azure_ad_token_provider=token_provider,
)

My use case:

I think it would be beneficial to add this because:

Consider billions of account and key are hacked and stollen every year which cause of hundreds of billons of lost and damage, eliminate plan text key is critical. This is a requirements for any enterprise system and services for higher bar of protection.

Any resources to support this?

https://microsoft.github.io/autogen/0.4.0.dev7/user-guide/core-user-guide/cookbook/azure-openai-with-aad-auth.html

Are you willing to work on this?

Following is the fix:

import { DefaultAzureCredential, getBearerTokenProvider } from “@azure/identity”;
import { AzureOpenAI } from “openai”;

import “dotenv/config.js”;

const credential = new DefaultAzureCredential();
const scope = “https://cognitiveservices.azure.com/.default”;

const azureADTokenProvider = getBearerTokenProvider(credential, scope);
// You will need to set these environment variables or edit the following values
const endpoint = “https://.openai.azure.com/”;
const apiVersion = “2024-05-01-preview”;
const deployment = “gpt-4o”; // This must match your deployment name

const AZURE_OPENAI_ENDPOINT = process.env[“AZURE_OPENAI_ENDPOINT”] || endpoint;
const AZURE_OPENAI_VERSION = process.env[“AZURE_OPENAI_VERSION”] || apiVersion;
const AZURE_OPENAI_DEPLOYMENT = process.env[“AZURE_OPENAI_DEPLOYMENT”] || deployment;
const MODEL = process.env[“model”] || “gpt-4o”;
console.log("==endpoint: “,AZURE_OPENAI_ENDPOINT);
console.log(”==version: “,AZURE_OPENAI_VERSION);
console.log(”==deploy: “,AZURE_OPENAI_DEPLOYMENT);
console.log(”==model: ",MODEL);

export async function main_llm() {
const options = { azureADTokenProvider:azureADTokenProvider, deployment: AZURE_OPENAI_DEPLOYMENT,apiVersion: AZURE_OPENAI_VERSION ,endpoint: AZURE_OPENAI_ENDPOINT};
const client = new AzureOpenAI(options);
return client;

}

BramKn · November 28, 2024, 2:23pm

Hi @George_Hu

Is this what you mean? It is an enterprise feature you get when you get the n8n enterprise license.

George_Hu · November 28, 2024, 3:30pm

NO, that is not the solution, we are looking for password-less solution.

Or no password solution. Using any plain text password is not permitted. Instead, we need using Azure Managed Identity. I showed how to address that in the context already.

BramKn · November 28, 2024, 3:51pm

Sorry I misunderstood then.

George_Hu · November 28, 2024, 4:09pm

The problem i am facing is that, we can use AzureOpenAI to eliminate the password while n8n is using ChatOpenAI which is a langchain instance.

If n8n can support { AzureOpenAI } from “openai”, that will be great. But you will see the problem is how to address AzureOpenAI(openai) != ChatOpenAI(langchain). Does n8n have plan to support pure openai instance?

BramKn · November 28, 2024, 4:09pm

@George_Hu Can you please remove your double posts

George_Hu · November 30, 2024, 12:49pm

The issue are fixed now:

import { ChatOpenAI } from ‘@langchain/openai’;
// @langchain/openai 0.3.14

import { DefaultAzureCredential, getBearerTokenProvider } from “@azure/identity”;
import { HumanMessage,SystemMessage } from “@langchain/core/messages”;
const credential = new DefaultAzureCredential();

const scope = “https://cognitiveservices.azure.com/.default”;
const getAccessToken = getBearerTokenProvider(credential, scope);

// const azureADTokenProvider = getBearerTokenProvider(credential, scope);
const endpoint = “https://.openai.azure.com/”;

const deployment = “gpt-4o”; // This must match your deployment name
const apiVersion = “2024-08-01-preview”

const token = await getAccessToken();
const model = new ChatOpenAI({
azureOpenAIApiKey:token,
apiKey:token,
azureOpenAIApiVersion:apiVersion,
azureOpenAIApiDeploymentName:deployment,
azureOpenAIEndpoint:endpoint,
model:deployment,
// azureADTokenProvider:azureADTokenProvider,
// organization:“azure_ad”
});

const messages = [
new SystemMessage(“You are a helpful assistant.”),
new HumanMessage(“What is the capital of France?”),
];
const response = await model.invoke(messages);
console.log(response.text); // Output: Paris