Support Azure OpenAI on Sovereign clouds (#944)

Azure OpenAI SDK does not support changing token authority/audience via
environment variables.
Added new option for Azure OpenAI config, to allow setting the token
audience.

See:
-
https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/openai/Azure.AI.OpenAI/README.md
-
https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/openai/Azure.AI.OpenAI/src/Custom/AzureOpenAIAudience.cs

See also #943

Author: dluc

Directory.Build.props

@@ -2,7 +2,7 @@
 <Project>
     <PropertyGroup>
         <!-- Central version prefix - applies to all nuget packages. -->
-        <Version>0.94.0</Version>
+        <Version>0.95.0</Version>
 
         <!-- C# lang version, https://learn.microsoft.com/dotnet/csharp/whats-new -->
         <LangVersion>12</LangVersion>

applications/tests/Evaluation.Tests/appsettings.json

@@ -14,27 +14,14 @@
   },
   "KernelMemory": {
     "Services": {
-      "AzureOpenAIText": {
-        // "ApiKey" or "AzureIdentity"
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
-        "Auth": "AzureIdentity",
-        "Endpoint": "https://<...>.openai.azure.com/",
-        "APIKey": "",
-        "Deployment": "",
-        // The max number of tokens supported by model deployed
-        // See https://learn.microsoft.com/azure/ai-services/openai/concepts/models
-        "MaxTokenTotal": 16384,
-        // "ChatCompletion" or "TextCompletion"
-        "APIType": "ChatCompletion",
-        // How many times to retry in case of throttling.
-        "MaxRetries": 10
-      },
       "AzureOpenAIEmbedding": {
         // "ApiKey" or "AzureIdentity"
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // in which case use this to change the client audience.
+        "AzureOpenAIAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",
@@ -52,19 +39,42 @@
         // How many times to retry in case of throttling.
         "MaxRetries": 10
       },
+      "AzureOpenAIText": {
+        // "ApiKey" or "AzureIdentity"
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
+        "Auth": "AzureIdentity",
+        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // in which case use this to change the client audience.
+        "AzureOpenAIAudience": null,
+        "Endpoint": "https://<...>.openai.azure.com/",
+        "APIKey": "",
+        "Deployment": "",
+        // The max number of tokens supported by model deployed
+        // See https://learn.microsoft.com/azure/ai-services/openai/concepts/models
+        "MaxTokenTotal": 16384,
+        // "ChatCompletion" or "TextCompletion"
+        "APIType": "ChatCompletion",
+        // How many times to retry in case of throttling.
+        "MaxRetries": 10
+      },
       "AzureAIDocIntel": {
         // "APIKey" or "AzureIdentity".
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   When the service is on sovereign clouds you can use the AZURE_AUTHORITY_HOST env var to
+        //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
         // Required when Auth == APIKey
         "APIKey": "",
         "Endpoint": ""
       },
       "AzureAISearch": {
         // "ApiKey" or "AzureIdentity". For other options see <AzureAISearchConfig>.
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   When the service is on sovereign clouds you can use the AZURE_AUTHORITY_HOST env var to
+        //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
         "Endpoint": "https://<...>",
         "APIKey": "",

examples/001-dotnet-WebClient/file9-settings.json

@@ -14,32 +14,38 @@
   },
   "KernelMemory": {
     "Services": {
-      "AzureOpenAIText": {
+      "AzureOpenAIEmbedding": {
         // "ApiKey" or "AzureIdentity"
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // in which case use this to change the client audience.
+        "AzureOpenAIAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",
         // The max number of tokens supported by model deployed
         // See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models
-        "MaxTokenTotal": 16384,
-        // "ChatCompletion" or "TextCompletion"
-        "APIType": "ChatCompletion",
-        "MaxRetries": 10
+        "MaxTokenTotal": 8191
       },
-      "AzureOpenAIEmbedding": {
+      "AzureOpenAIText": {
         // "ApiKey" or "AzureIdentity"
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // in which case use this to change the client audience.
+        "AzureOpenAIAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",
         // The max number of tokens supported by model deployed
         // See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models
-        "MaxTokenTotal": 8191
+        "MaxTokenTotal": 16384,
+        // "ChatCompletion" or "TextCompletion"
+        "APIType": "ChatCompletion",
+        "MaxRetries": 10
       },
       "OpenAI": {
         // Name of the model used to generate text (text completion or chat completion)
@@ -84,17 +90,21 @@
       },
       "AzureAIDocIntel": {
         // "APIKey" or "AzureIdentity".
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   When the service is on sovereign clouds you can use the AZURE_AUTHORITY_HOST env var to
+        //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
         // Required when Auth == APIKey
         "APIKey": "",
         "Endpoint": ""
       },
       "AzureAISearch": {
         // "ApiKey" or "AzureIdentity". For other options see <AzureAISearchConfig>.
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   When the service is on sovereign clouds you can use the AZURE_AUTHORITY_HOST env var to
+        //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
         "Endpoint": "https://<...>",
         "APIKey": ""

examples/002-dotnet-Serverless/appsettings.json

@@ -3,8 +3,10 @@
     "Services": {
       "AzureAIContentSafety": {
         // "ApiKey" or "AzureIdentity". For other options see <AzureAIContentSafetyConfig>.
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   When the service is on sovereign clouds you can use the AZURE_AUTHORITY_HOST env var to
+        //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
         "Endpoint": "https://<...>",
         "APIKey": "",
@@ -13,17 +15,21 @@
       },
       "AzureAIDocIntel": {
         // "APIKey" or "AzureIdentity".
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   When the service is on sovereign clouds you can use the AZURE_AUTHORITY_HOST env var to
+        //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
         // Required when Auth == APIKey
         "APIKey": "",
         "Endpoint": ""
       },
       "AzureAISearch": {
         // "ApiKey" or "AzureIdentity". For other options see <AzureAISearchConfig>.
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   When the service is on sovereign clouds you can use the AZURE_AUTHORITY_HOST env var to
+        //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
         "Endpoint": "https://<...>",
         "APIKey": "",
@@ -44,8 +50,10 @@
       },
       "AzureBlobs": {
         // "ConnectionString" or "AzureIdentity". For other options see <AzureBlobConfig>.
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   When the service is on sovereign clouds you can use the AZURE_AUTHORITY_HOST env var to
+        //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
         // Azure Storage account name, required when using AzureIdentity auth
         // Note: you can use an env var 'KernelMemory__Services__AzureBlobs__Account' to set this
@@ -60,9 +68,12 @@
       },
       "AzureOpenAIEmbedding": {
         // "ApiKey" or "AzureIdentity"
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // in which case use this to change the client audience.
+        "AzureOpenAIAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         // Your Azure Deployment name
@@ -92,9 +103,12 @@
       },
       "AzureOpenAIText": {
         // "ApiKey" or "AzureIdentity"
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // in which case use this to change the client audience.
+        "AzureOpenAIAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",

examples/002-dotnet-Serverless/file9-settings.json

@@ -14,32 +14,38 @@
   },
   "KernelMemory": {
     "Services": {
-      "AzureOpenAIText": {
+      "AzureOpenAIEmbedding": {
         // "ApiKey" or "AzureIdentity"
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // in which case use this to change the client audience.
+        "AzureOpenAIAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",
         // The max number of tokens supported by model deployed
         // See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models
-        "MaxTokenTotal": 16384,
-        // "ChatCompletion" or "TextCompletion"
-        "APIType": "ChatCompletion",
-        "MaxRetries": 10
+        "MaxTokenTotal": 8191
       },
-      "AzureOpenAIEmbedding": {
+      "AzureOpenAIText": {
         // "ApiKey" or "AzureIdentity"
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
+        // When the service is on sovereign clouds the AZURE_AUTHORITY_HOST env var might not work,
+        // in which case use this to change the client audience.
+        "AzureOpenAIAudience": null,
         "Endpoint": "https://<...>.openai.azure.com/",
         "APIKey": "",
         "Deployment": "",
         // The max number of tokens supported by model deployed
         // See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models
-        "MaxTokenTotal": 8191
+        "MaxTokenTotal": 16384,
+        // "ChatCompletion" or "TextCompletion"
+        "APIType": "ChatCompletion",
+        "MaxRetries": 10
       },
       "OpenAI": {
         // Name of the model used to generate text (text completion or chat completion)
@@ -84,17 +90,21 @@
       },
       "AzureAIDocIntel": {
         // "APIKey" or "AzureIdentity".
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   When the service is on sovereign clouds you can use the AZURE_AUTHORITY_HOST env var to
+        //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
         // Required when Auth == APIKey
         "APIKey": "",
         "Endpoint": ""
       },
       "AzureAISearch": {
         // "ApiKey" or "AzureIdentity". For other options see <AzureAISearchConfig>.
-        // AzureIdentity: use automatic AAD authentication mechanism. You can test locally
-        //   using the env vars AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
+        // AzureIdentity: use automatic Entra (AAD) authentication mechanism.
+        //   When the service is on sovereign clouds you can use the AZURE_AUTHORITY_HOST env var to
+        //   set the authority host. See https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme
+        //   You can test locally using the AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET env vars.
         "Auth": "AzureIdentity",
         "Endpoint": "https://<...>",
         "APIKey": ""