Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Creating a custom scope

Normally, access tokens issued by Azure AD are issued for Microsoft Graph. However, ModelOp Center requires that the access tokens requested with the following apps be issued for the apps themselves and not Microsoft Graph: gateway-service, internal-client, external-integration-client, and go-cli.

To have Azure AD issue tokens for the aforementioned apps, each app needs a custom scope. For example, custom_scope can be the name of our scope. To create the custom scope, follow these steps for each app:

  1. Open the app registration

  2. Open “Expose an API” tab

  3. Click “Add a scope”

    1. Scope name: custom_scope

    2. Who can consent? Admins and users

    3. Admin consent display name: custom_scope

    4. Admin consent description: A custom ModelOp Center scope

    5. User consent display name:

    6. User consent description:

    7. State: Enabled

Once the custom scope is created, it has to be added as a permission on each ModelOp Center app, and admin consent must be granted for the app to be able to use it:

  1. Open the app registration

  2. Open “API permissions” tab

  3. Click “Add a permission”

    1. Click “APIs my organization uses”

    2. Search for the app by name. For example, “gateway-service”. Select the app

    3. Click “Delegated permissions”

    4. Select custom_scope

  4. Click “Grant admin consent for _”

Creating an app role

To create an app role for a given app, follow these steps:

  1. Open the app registration

  2. Click “Create app role”

    1. Display name: modelop_client

    2. Allowed member types: Applications

    3. Value: modelop_client

    4. Description: This role is used to distinguish between OAuth2 clients and end users

  • No labels