Connection through. Azure Active Directory

Hello,

We have deployed a labelstudio on Azure AppService and we have configured an Azure Active Directory for security.

Is it possible to use the label-studio-sdk with this configuration ?
We need to auth the python-requests session to the Azure AD ?
Has anyone managed to do it ?

With the default config, we fail the healthcheck at the check_connection method and my intuition is Azure AD doesn't allow us to http.get(/health) (and it is legit !)

Maybe there is a way to adapt our connection to pass Azure AD ?

mmmmh maybe using

label-studio-sdk/label_studio_sdk/client.py

Lines 69 to 70 in 491471c

    
                   oidc_token: str 
        
                       Bearer token for proxy authentication - in case the server is behind an authenticating proxy.

(I hope it is so simple !)

It works with extra_headers param :)

Hello again.
The Bearer token is enough for a GET /health request or a GET /api/version
But for any GET /api/project request it fails

example :

ls = Client(
    url=label_studio_url,
    api_key=label_studio_access_token,
    extra_headers=azure_ad_headers,
)

print(ls.check_connection()). #it works : {'status': 'UP'}

ls.get_projects(). #it does not work

We get the following trace :

requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://labelstudio-web-app.azurewebsites.net/api/projects?page_size=10000000

I notice that the extra_header replace the token... it seems strange to me.
My intuition is I cannot use both the Azure AD Bearer Token & the Label-Studio user token. Do you think it is true ?

Hum maybe I cannot use Azure AD this way (we have two authentifications here : azure AD & label-studio)
Maybe I need to configure it using : https://docs.humansignal.com/guide/auth_setup and will it replace the label-studio auth ?

	oidc_token: str
	Bearer token for proxy authentication - in case the server is behind an authenticating proxy.