Multi-tenant API Keys?

[patriot1burke]

So, I'm writing an app for myself, that I may and make available to the wider internet. But.... I Don't want to have to pay for LLM time with my own API keys. So I thought, it might be great to manage API keys on a per user basis. Obtain an API Key for the user via OAuth or through user input. Then quarkus-langchain4j will need a way to propagate this.

I don't know if my usecase is so narrow, but it might help new AI projects come online and such. Could provide a solution too, with Keycloak.

[patriot1burke]

For example, obtain an oauth grant from Azure OpenAI

https://learn.microsoft.com/en-us/azure/api-management/api-management-authenticate-authorize-azure-openai#oauth-20-authorization-using-identity-provider

[geoand]

I think this is very valid and IIRC, @sberyozkin did something already in this area?

[sberyozkin]

Hi @patriot1burke @geoand

This is exactly what https://github.com/quarkiverse/quarkus-langchain4j/tree/main/samples/secure-poem-multiple-models shows, with both Google (Gemini) and Azure OpenAI...

It really only works for models co-located with providers like EntraID, Google, where the user authentication token can become a valid token to access the model...
To make that work with Keycloak, for example, where a user logs in with Keycloak but Azure OpenAI model is used, I think Keycloak would have to be configured to federate to EntraID, to get an actual EntraID access token, but it is not clear if it can work - but the Keycloak team is looking into this space too

[sberyozkin]

@pedroigor FYI