Onboarding an app
For apps to integrate with Verified Orchestration platform, they will need to be granted access to Verified Orchestration application roles. Which roles are granted will depend on the tasks the app will carry out and the access model used.
A tenant administrator can help onboarding an app in Microsoft Azure Portal. Use the following steps to onboard an app:
Access models
Primary access to the Verified Orchestration platform is via client credentials. A second access model, limited access tokens, supports controlled access by apps which do not have the ability to securely store a secret.
Conventional access via client credentials
This model is suitable for apps which can securely store a secret, such as APIs, automation workflows, etc. The following application roles apply to this access model:
Contract admin
Application role: VerifiableCredential.ContractAdmin
Permissions:
- Create, modify and delete contract data
- Create, modify and delete template data
- Provision contracts
- Deprecate contracts
- Revoke issuances
Issue
Application role: VerifiableCredential.Issue
Permissions:
- Create and read issuance data
- Create and read identity data
- Create photo capture requests
- Read contract data
Present
Application role: VerifiableCredential.Present
Permissions:
- Create and read presentation data
- Read identity data
- Read contract data
Request approval
Application role: VerifiableCredential.RequestApproval
Permissions:
- Create approval requests
- Manage approval requests (update, cancel) that were created by the app
Limited access token model
Limited access tokens support controlled access in client apps which do not have the ability to securely store a secret, such as Single Page Applications (SPA), mobile apps, etc. The following application roles allow a secure backend app to acquire limited access tokens to be used in such client apps.
Acquire presentation token
Application role: VerifiableCredential.AcquireLimitedAccessToken.Present
Permissions:
- Create and read identity data
- Acquire a limited access token with the ability to: perform presentations
Note: Use this role when the identity of the presenter is known at the time of acquiring the token. If the presenter identity is not known, use the acquire anonymous presentation token role instead.
Acquire anonymous presentation token
Application role: VerifiableCredential.AcquireLimitedAccessToken.AnonymousPresentations
Permissions:
- Create and read identity data
- Acquire a limited access token with the ability to: perform anonymous presentations
Acquire issuance token
Application role: VerifiableCredential.AcquireLimitedAccessToken.Issue
Permissions:
- Create and read identity data
- Acquire a limited access token with the ability to: issue credentials and read issuance data
Acquire list contracts token
Application role: VerifiableCredential.AcquireLimitedAccessToken.ListContracts
Permissions:
- Create and read identity data
- Acquire a limited access token with the ability to: list contracts
For more information on how the limited access token works, refer to the Limited access tokens guide.
Authorization
Refer to the client credentials flow documentation for info on how to get an access token.
An example for getting an access token using the @azure/msal-node package is available in the Secure backend API guide.
Instance configuration
Refer to the Instance configuration guide for the following configuration settings:
Application label
When you onboard an application, you can supply a user-friendly label, helping users to understand which apps are issuing or requesting presentation of credentials.
CORS origin
If you are using a web application to access the Verified Orchestration API, the host address must be configured as a CORS origin.