Onboarding an app
For apps to integrate with VO platform, they will need to be granted access to VO application roles. Which roles are granted will depend on the tasks the app will carry out and the access model used.
A tenant administrator can help onboarding an app in Microsoft Azure Portal. Use the following steps to onboard an app:
The name of the VO platform application in Azure AD is available in the Composer configuration.
Access models
Primary access to the VO platform is via client credentials. A second access model, limited access tokens, supports controlled access by apps which do not have the ability to securely store a secret.
Conventional access via client credentials
This model is suitable for apps which can securely store a secret, such as APIs, automation workflows, etc. The following application roles apply to this access model:
- Contract admin
- Credential issuance
- Credential presentation
- Approval request integration
- Credentials - Revoke
Contract admin
Application role: VerifiableCredential.ContractAdmin
Permissions:
- Create, modify and delete contract data
- Create, modify and delete template data
- Provision contracts
- Deprecate contracts
- Revoke issuances
Credential issuance
Application role: VerifiableCredential.Issue
Permissions:
- Create and read issuance data
- Create and read identity data
- Create photo capture requests
- Read contract data
Credential presentation
Application role: VerifiableCredential.Present
Permissions:
- Create and read presentation data
- Read identity data
- Read contract data
Approval request integration
Application role: VerifiableCredential.RequestApproval
Permissions:
- Create approval requests
- Manage approval requests (update, cancel) that were created by the app
Credentials - Revoke
Application role: credentials.revoke
Permissions:
- Revoke credentials
Limited access token model
Limited access tokens support controlled access in client apps which do not have the ability to securely store a secret, such as Single Page Applications (SPA), mobile apps, etc. The following application roles allow a secure backend app to acquire limited access tokens to be used in such client apps.
Acquire limited access token: present
Application role: VerifiableCredential.AcquireLimitedAccessToken.Present
Permissions:
- Create and read identity data
- Acquire a limited access token with the ability to: perform presentations
Note: Use this role when the identity of the presenter is known at the time of acquiring the token. If the presenter identity is not known, use the Acquire limited access token: anonymous presentations role instead.
Acquire limited access token: anonymous presentations
Application role: VerifiableCredential.AcquireLimitedAccessToken.AnonymousPresentations
Permissions:
- Create and read identity data
- Acquire a limited access token with the ability to: perform anonymous presentations
Acquire limited access token: issue
Application role: VerifiableCredential.AcquireLimitedAccessToken.Issue
Permissions:
- Create and read identity data
- Acquire a limited access token with the ability to: issue credentials and read issuance data
Acquire limited access token: list contracts
Application role: VerifiableCredential.AcquireLimitedAccessToken.ListContracts
Permissions:
- Create and read identity data
- Acquire a limited access token with the ability to: list contracts
For more information on how the limited access token works, refer to the Limited access tokens guide.
Authorization
Refer to the client credentials flow documentation for info on how to get an access token.
The scope for this VO platform instance is available in the Composer configuration.
An example for getting an access token using the @azure/msal-node package is available in the Secure backend API guide.
Instance configuration
Refer to the Instance configuration guide for the following configuration settings:
Application label
When you onboard an application, you can supply a user-friendly label, helping users to understand which apps are issuing or requesting presentation of credentials.
CORS origin
If you are using a web application to access the VO API, the host address must be configured as a CORS origin.