Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Following the OAuth 2.0 standard, ModelOp Center requires the following Azure AD configurations when used with OAuth2for a successful integration:

  1. Apps

...

    1. gateway-service

...

    1. internal-client

...

    1. external-integration-client

...

    1. go-cli

  1. Scopes

...

    1. custom_scope

  1. App

...

  1. role

    1. modelop_client

  2. Access

...

  1. token version: 2

Normally, access tokens issued by Azure AD are issued for Microsoft Graph. However, ModelOp Center needs access tokens issued for the aforementioned applications. To accomplish that, each application needs a manually created scope (Expose an API tab; Add a scope), custom_scope for example, to indicate the access tokens issued for the given application are intended for the application and not Microsoft Graph. Additionally, the custom_scope has to be added as a permission (API permissions tab; Add a permission) on the application and admin consent must be granted (API permissions tab; Grant admin consent for), so that the application can actually use the permission.

For more details per application, please reference the following table:

Application () ID RequiredClient

Proposed
Application Name

Platform

Client


Secret
Required

Grant Type

Scope

App Roles

Token Claim

Redirect URIs

gateway-service

  1. Web

Authorization

Authorization

Code

  • openid

  • profile

  • email

  • custom_scope

  • offline_accessemail

  • family_name

  • given_name

  • preferred_username

  • email

  • groups

  • https://<ModelOp Center URL>/login/oauth2/code/gateway-service

internal-client

Client

Client

Credentials

  • modelop_clientemail

  • family_name

  • given_name

  • preferred_username

  • email

  • idtyp

external-integration-client

  1. Single-page application

  2. Mobile and desktop applications

Implicit

  • custom_scope

  • email

  • family_name

  • given_name

  • preferred_username

  • email

  • groups

  1. Single-page application; Redirect URIs

    1. https://<ModelOp Center URL>/jupyterOauth2ImplicitGrant.html

    2. https://<ModelOp Center URL>/modelOpWDC.html

  2. Mobile and desktop applications; Redirect URIs

    1. https://oauth.powerbi.com/views/oauthredirect.html

go-cli

Password

  • custom_scopeemail

  • family_name

  • given_name

  • preferred_username

  • email

  • groups

NOTE: Once the internal-client app has been created, please open the Overview tab for the app and click on:

  • "Add an Application ID URI"

  • “Set”

  • “Save” the suggested Application ID URI.

In addition to the configurations at Azure AD, ModelOp Center will need to be configured with the following values for:

  • Issuer URI

  • Authorization URI

  • Token URI

  • JWKS URI

  • Client ID for each application

  • Client Secret for each application