Support Azure TokenCredential for authentication against Azure OpenAI

[asaikali]

The current AzureOpenAI auto-configuration code assume that the users will provide a static api key if no key is set, then an exception is throw see

spring-ai/spring-ai-spring-boot-autoconfigure/src/main/java/org/springframework/ai/autoconfigure/azure/openai/AzureOpenAiAutoConfiguration.java

Line 66 in ca1949c

public OpenAIClientBuilder openAIClientBuilder(AzureOpenAiConnectionProperties connectionProperties) {

Azure supports a keyless authentication mode that uses Azure Active Directory and system identity. Some users of Azure will disable key based accessed for the Azure Open AI service and those users can't use spring-ai with azure open ai.

Todo:

• Enhance the the AzureOpenAiAutoConfiguration to support keyless authentication.
• Document how users can configure keyless authentication

Reference https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/authentication

Resources:

• https://github.com/Azure-Samples/azure-openai-keyless-java

[KKulma]

I second this—at the very least, please provide documentation on how to update relevant scripts to enable authentication via Service Principal. We're wrestling with it at the moment, and autoconfiguration is stubbornly hard to override!

[frankliu20]

Vote for this.
Keyless authentication is more secure and recommended apporach when using Azure Open AI. There is an builder which requires developer to build the TokenCredential

        @Bean
	@ConditionalOnMissingBean
	@ConditionalOnBean(TokenCredential.class)
	public OpenAIClientBuilder openAIClientWithTokenCredential(AzureOpenAiConnectionProperties connectionProperties,
			TokenCredential tokenCredential) {

		Assert.notNull(tokenCredential, "TokenCredential must not be null");
		Assert.hasText(connectionProperties.getEndpoint(), "Endpoint must not be empty");

		return new OpenAIClientBuilder().endpoint(connectionProperties.getEndpoint())
			.credential(tokenCredential)
			.clientOptions(new ClientOptions().setApplicationId(APPLICATION_ID));
	}

While, this is not convinent enough, and it requires the devlopers to lean and build a TokenCredential by themself. I suppose, we should just add a TokenCredential bean here with the DefaultAzureCredentialBuilder in case no one feed that.

    @Bean
    @ConditionalOnMissingBean
    public TokenCredential AzureTokenCredential() {
        TokenCredential defaultCredential = new DefaultAzureCredentialBuilder().build();
        return defaultCredential;
    }

[markpollack]

@mkheck @TheovanKraay Is this something that you can help out with please?

Related to #2707

[mkheck]

@markpollack Let me investigate this and see where it leads. More news soon.

[mkheck]

Submitted PR 2992 to resolve.

[markpollack]

closing, please reopen if there are any problems.