feat: add scopes field in azure key config for entra id auth

Author: tejas ghatte

core/providers/azure/azure.go

@@ -83,8 +83,13 @@ func (provider *AzureProvider) getAzureAuthHeaders(ctx *schemas.BifrostContext,
 			return nil, providerUtils.NewBifrostOperationError("failed to get or create Azure authentication", err, schemas.Azure)
 		}
 
+		scopes := []string{DefaultAzureScope}
+		if len(key.AzureKeyConfig.Scopes) > 0 {
+			scopes = key.AzureKeyConfig.Scopes
+		}
+
 		token, err := cred.GetToken(ctx, policy.TokenRequestOptions{
-			Scopes: []string{DefaultAzureScope},
+			Scopes: scopes,
 		})
 		if err != nil {
 			return nil, providerUtils.NewBifrostOperationError("failed to get Azure access token", err, schemas.Azure)

core/providers/azure/files.go

@@ -26,8 +26,13 @@ func (provider *AzureProvider) setAzureAuth(ctx context.Context, req *fasthttp.R
 			return providerUtils.NewBifrostOperationError("failed to get or create Azure authentication", err, schemas.Azure)
 		}
 
+		scopes := []string{DefaultAzureScope}
+		if len(key.AzureKeyConfig.Scopes) > 0 {
+			scopes = key.AzureKeyConfig.Scopes
+		}
+
 		token, err := cred.GetToken(ctx, policy.TokenRequestOptions{
-			Scopes: []string{DefaultAzureScope},
+			Scopes: scopes,
 		})
 		if err != nil {
 			return providerUtils.NewBifrostOperationError("failed to get Azure access token", err, schemas.Azure)

core/schemas/account.go

@@ -27,9 +27,10 @@ type AzureKeyConfig struct {
 	Deployments map[string]string `json:"deployments,omitempty"` // Mapping of model names to deployment names
 	APIVersion  *EnvVar           `json:"api_version,omitempty"` // Azure API version to use; defaults to "2024-10-21"
 
-	ClientID     *EnvVar `json:"client_id,omitempty"`     // Azure client ID for authentication
-	ClientSecret *EnvVar `json:"client_secret,omitempty"` // Azure client secret for authentication
-	TenantID     *EnvVar `json:"tenant_id,omitempty"`     // Azure tenant ID for authentication
+	ClientID     *EnvVar  `json:"client_id,omitempty"`     // Azure client ID for authentication
+	ClientSecret *EnvVar  `json:"client_secret,omitempty"` // Azure client secret for authentication
+	TenantID     *EnvVar  `json:"tenant_id,omitempty"`     // Azure tenant ID for authentication
+	Scopes       []string `json:"scopes,omitempty"`
 }
 
 // VertexKeyConfig represents the Vertex-specific configuration.

docs/providers/supported-providers/azure.mdx

@@ -104,6 +104,7 @@ If you set `client_id`, `client_secret`, and `tenant_id`, Azure Entra ID authent
     "client_id": "your-client-id",
     "client_secret": "your-client-secret",
     "tenant_id": "your-tenant-id",
+    "scopes": ["https://cognitiveservices.azure.com/.default"],
     "api_version": "2024-10-21",
     "deployments": {
       "gpt-4": "my-gpt4-deployment",
@@ -139,6 +140,7 @@ If you set `client_id`, `client_secret`, and `tenant_id`, Azure Entra ID authent
 - `client_id` - Azure Entra ID client ID (optional, for Service Principal auth)
 - `client_secret` - Azure Entra ID client secret (optional, for Service Principal auth)
 - `tenant_id` - Azure Entra ID tenant ID (optional, for Service Principal auth)
+- `scopes` - OAuth scopes for token requests (default: `["https://cognitiveservices.azure.com/.default"]`)
 - `api_version` - API version to use (default: `2024-10-21`)
 - `deployments` - Map of model names to deployment IDs (optional, can be provided per-request)
 - `allowed_models` - List of allowed models to use from this key (optional)

docs/quickstart/gateway/provider-configuration.mdx

@@ -1031,6 +1031,7 @@ curl --location 'http://localhost:8080/api/providers' \
                 "client_id": "env.AZURE_CLIENT_ID",
                 "client_secret": "env.AZURE_CLIENT_SECRET",
                 "tenant_id": "env.AZURE_TENANT_ID",
+                "scopes": ["https://cognitiveservices.azure.com/.default"],
                 "deployments": {
                     "gpt-4o": "gpt-4o-deployment",
                     "gpt-4o-mini": "gpt-4o-mini-deployment"
@@ -1061,6 +1062,7 @@ curl --location 'http://localhost:8080/api/providers' \
                         "client_id": "env.AZURE_CLIENT_ID",
                         "client_secret": "env.AZURE_CLIENT_SECRET",
                         "tenant_id": "env.AZURE_TENANT_ID",
+                        "scopes": ["https://cognitiveservices.azure.com/.default"],
                         "deployments": {
                             "gpt-4o": "gpt-4o-deployment",
                             "gpt-4o-mini": "gpt-4o-mini-deployment"

framework/configstore/clientconfig.go

@@ -293,6 +293,9 @@ func (p *ProviderConfig) Redacted() *ProviderConfig {
 			if key.AzureKeyConfig.TenantID != nil {
 				azureConfig.TenantID = key.AzureKeyConfig.TenantID.Redacted()
 			}
+			if len(key.AzureKeyConfig.Scopes) > 0 {
+				azureConfig.Scopes = key.AzureKeyConfig.Scopes
+			}
 			redactedConfig.Keys[i].AzureKeyConfig = azureConfig
 		}
 

framework/configstore/migrations.go

@@ -179,6 +179,9 @@ func triggerMigrations(ctx context.Context, db *gorm.DB) error {
 	if err := migrationAddBaseModelPricingColumn(ctx, db); err != nil {
 		return err
 	}
+	if err := migrationAddAzureScopesColumn(ctx, db); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -3227,3 +3230,34 @@ func migrationAddBaseModelPricingColumn(ctx context.Context, db *gorm.DB) error
 	}})
 	return m.Migrate()
 }
+
+// migrationAddAzureScopesColumn adds the azure_scopes column to the key table for Entra ID OAuth scopes
+func migrationAddAzureScopesColumn(ctx context.Context, db *gorm.DB) error {
+	m := migrator.New(db, migrator.DefaultOptions, []*migrator.Migration{{
+		ID: "add_azure_scopes_column",
+		Migrate: func(tx *gorm.DB) error {
+			tx = tx.WithContext(ctx)
+			migrator := tx.Migrator()
+			if !migrator.HasColumn(&tables.TableKey{}, "azure_scopes") {
+				if err := migrator.AddColumn(&tables.TableKey{}, "azure_scopes"); err != nil {
+					return fmt.Errorf("failed to add azure_scopes column: %w", err)
+				}
+			}
+			return nil
+		},
+		Rollback: func(tx *gorm.DB) error {
+			tx = tx.WithContext(ctx)
+			migrator := tx.Migrator()
+			if migrator.HasColumn(&tables.TableKey{}, "azure_scopes") {
+				if err := migrator.DropColumn(&tables.TableKey{}, "azure_scopes"); err != nil {
+					return fmt.Errorf("failed to drop azure_scopes column: %w", err)
+				}
+			}
+			return nil
+		},
+	}})
+	if err := m.Migrate(); err != nil {
+		return fmt.Errorf("error running azure_scopes migration: %s", err.Error())
+	}
+	return nil
+}

framework/configstore/tables/key.go

@@ -11,44 +11,45 @@ import (
 
 // TableKey represents an API key configuration in the database
 type TableKey struct {
-	ID         uint             `gorm:"primaryKey;autoIncrement" json:"id"`
-	Name       string           `gorm:"type:varchar(255);uniqueIndex:idx_key_name;not null" json:"name"`
-	ProviderID uint             `gorm:"index;not null" json:"provider_id"`
-	Provider   string           `gorm:"index;type:varchar(50)" json:"provider"`                          // ModelProvider as string
-	KeyID      string           `gorm:"type:varchar(255);uniqueIndex:idx_key_id;not null" json:"key_id"` // UUID from schemas.Key
+	ID         uint           `gorm:"primaryKey;autoIncrement" json:"id"`
+	Name       string         `gorm:"type:varchar(255);uniqueIndex:idx_key_name;not null" json:"name"`
+	ProviderID uint           `gorm:"index;not null" json:"provider_id"`
+	Provider   string         `gorm:"index;type:varchar(50)" json:"provider"`                          // ModelProvider as string
+	KeyID      string         `gorm:"type:varchar(255);uniqueIndex:idx_key_id;not null" json:"key_id"` // UUID from schemas.Key
 	Value      schemas.EnvVar `gorm:"type:text;not null" json:"value"`
-	ModelsJSON string           `gorm:"type:text" json:"-"` // JSON serialized []string
-	Weight     *float64         `json:"weight"`
-	Enabled    *bool            `gorm:"default:true" json:"enabled,omitempty"`
-	CreatedAt  time.Time        `gorm:"index;not null" json:"created_at"`
-	UpdatedAt  time.Time        `gorm:"index;not null" json:"updated_at"`
+	ModelsJSON string         `gorm:"type:text" json:"-"` // JSON serialized []string
+	Weight     *float64       `json:"weight"`
+	Enabled    *bool          `gorm:"default:true" json:"enabled,omitempty"`
+	CreatedAt  time.Time      `gorm:"index;not null" json:"created_at"`
+	UpdatedAt  time.Time      `gorm:"index;not null" json:"updated_at"`
 
 	// Config hash is used to detect changes synced from config.json file
 	ConfigHash string `gorm:"type:varchar(255);null" json:"config_hash"`
 
 	// Azure config fields (embedded instead of separate table for simplicity)
 	AzureEndpoint        *schemas.EnvVar `gorm:"type:text" json:"azure_endpoint,omitempty"`
 	AzureAPIVersion      *schemas.EnvVar `gorm:"type:varchar(50)" json:"azure_api_version,omitempty"`
-	AzureDeploymentsJSON *string `gorm:"type:text" json:"-"` // JSON serialized map[string]string
+	AzureDeploymentsJSON *string         `gorm:"type:text" json:"-"` // JSON serialized map[string]string
 	AzureClientID        *schemas.EnvVar `gorm:"type:varchar(255)" json:"azure_client_id,omitempty"`
 	AzureClientSecret    *schemas.EnvVar `gorm:"type:text" json:"azure_client_secret,omitempty"`
 	AzureTenantID        *schemas.EnvVar `gorm:"type:varchar(255)" json:"azure_tenant_id,omitempty"`
+	AzureScopesJSON      *string         `gorm:"column:azure_scopes;type:text" json:"-"` // JSON serialized []string
 
 	// Vertex config fields (embedded)
 	VertexProjectID       *schemas.EnvVar `gorm:"type:varchar(255)" json:"vertex_project_id,omitempty"`
 	VertexProjectNumber   *schemas.EnvVar `gorm:"type:varchar(255)" json:"vertex_project_number,omitempty"`
 	VertexRegion          *schemas.EnvVar `gorm:"type:varchar(100)" json:"vertex_region,omitempty"`
 	VertexAuthCredentials *schemas.EnvVar `gorm:"type:text" json:"vertex_auth_credentials,omitempty"`
-	VertexDeploymentsJSON *string `gorm:"type:text" json:"-"` // JSON serialized map[string]string
+	VertexDeploymentsJSON *string         `gorm:"type:text" json:"-"` // JSON serialized map[string]string
 
 	// Bedrock config fields (embedded)
 	BedrockAccessKey         *schemas.EnvVar `gorm:"type:varchar(255)" json:"bedrock_access_key,omitempty"`
 	BedrockSecretKey         *schemas.EnvVar `gorm:"type:text" json:"bedrock_secret_key,omitempty"`
 	BedrockSessionToken      *schemas.EnvVar `gorm:"type:text" json:"bedrock_session_token,omitempty"`
 	BedrockRegion            *schemas.EnvVar `gorm:"type:varchar(100)" json:"bedrock_region,omitempty"`
 	BedrockARN               *schemas.EnvVar `gorm:"type:text" json:"bedrock_arn,omitempty"`
-	BedrockDeploymentsJSON   *string `gorm:"type:text" json:"-"` // JSON serialized map[string]string
-	BedrockBatchS3ConfigJSON *string `gorm:"type:text" json:"-"` // JSON serialized schemas.BatchS3Config
+	BedrockDeploymentsJSON   *string         `gorm:"type:text" json:"-"` // JSON serialized map[string]string
+	BedrockBatchS3ConfigJSON *string         `gorm:"type:text" json:"-"` // JSON serialized schemas.BatchS3Config
 
 	// Batch API configuration
 	UseForBatchAPI *bool `gorm:"default:false" json:"use_for_batch_api,omitempty"` // Whether this key can be used for batch API operations
@@ -95,6 +96,16 @@ func (k *TableKey) BeforeSave(tx *gorm.DB) error {
 		k.AzureClientID = k.AzureKeyConfig.ClientID
 		k.AzureClientSecret = k.AzureKeyConfig.ClientSecret
 		k.AzureTenantID = k.AzureKeyConfig.TenantID
+		if len(k.AzureKeyConfig.Scopes) > 0 {
+			data, err := json.Marshal(k.AzureKeyConfig.Scopes)
+			if err != nil {
+				return err
+			}
+			s := string(data)
+			k.AzureScopesJSON = &s
+		} else {
+			k.AzureScopesJSON = nil
+		}
 		if k.AzureKeyConfig.Deployments != nil {
 			data, err := json.Marshal(k.AzureKeyConfig.Deployments)
 			if err != nil {
@@ -112,6 +123,7 @@ func (k *TableKey) BeforeSave(tx *gorm.DB) error {
 		k.AzureClientID = nil
 		k.AzureClientSecret = nil
 		k.AzureTenantID = nil
+		k.AzureScopesJSON = nil
 	}
 	// BeforeSave is called before saving the key to the database
 	if k.VertexKeyConfig != nil {
@@ -217,12 +229,19 @@ func (k *TableKey) AfterFind(tx *gorm.DB) error {
 	}
 	// Reconstruct Azure config if fields are present
 	if k.AzureEndpoint != nil {
+		var scopes []string
+		if k.AzureScopesJSON != nil && *k.AzureScopesJSON != "" {
+			if err := json.Unmarshal([]byte(*k.AzureScopesJSON), &scopes); err != nil {
+				return err
+			}
+		}
 		azureConfig := &schemas.AzureKeyConfig{
 			Endpoint:     *schemas.NewEnvVar(""),
 			APIVersion:   k.AzureAPIVersion,
 			ClientID:     k.AzureClientID,
 			ClientSecret: k.AzureClientSecret,
 			TenantID:     k.AzureTenantID,
+			Scopes:       scopes,
 		}
 
 		if k.AzureEndpoint != nil {

framework/configstore/tables/virtualkey.go

@@ -106,6 +106,7 @@ func (pc *TableVirtualKeyProviderConfig) AfterFind(tx *gorm.DB) error {
 			key.AzureClientID = nil
 			key.AzureClientSecret = nil
 			key.AzureTenantID = nil
+			key.AzureScopesJSON = nil
 			key.AzureDeploymentsJSON = nil
 			key.AzureKeyConfig = nil
 

ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx

@@ -6,6 +6,7 @@ import { EnvVarInput } from "@/components/ui/envVarInput";
 import { FormControl, FormDescription, FormField, FormItem, FormLabel, FormMessage } from "@/components/ui/form";
 import { Input } from "@/components/ui/input";
 import { ModelMultiselect } from "@/components/ui/modelMultiselect";
+import { TagInput } from "@/components/ui/tagInput";
 import { Separator } from "@/components/ui/separator";
 import { Switch } from "@/components/ui/switch";
 import { Tabs, TabsList, TabsTrigger } from "@/components/ui/tabs";
@@ -220,6 +221,7 @@ export function ApiKeyFormFragment({ control, providerName, form }: Props) {
 								form.setValue('key.azure_key_config.client_id', undefined)
 								form.setValue('key.azure_key_config.client_secret', undefined)
 								form.setValue('key.azure_key_config.tenant_id', undefined)
+								form.setValue('key.azure_key_config.scopes', undefined)
 							}
 						}}>
 							<TabsList className="grid w-full grid-cols-2">
@@ -297,6 +299,38 @@ export function ApiKeyFormFragment({ control, providerName, form }: Props) {
 									</FormItem>
 								)}
 							/>
+							<FormField
+								control={control}
+								name={`key.azure_key_config.scopes`}
+								render={({ field }) => (
+									<FormItem>
+										<div className="flex items-center gap-2">
+											<FormLabel>Scopes (Optional)</FormLabel>
+											<TooltipProvider>
+												<Tooltip>
+													<TooltipTrigger asChild>
+														<span>
+															<Info className="text-muted-foreground h-3 w-3" />
+														</span>
+													</TooltipTrigger>
+													<TooltipContent>
+														<p>Optional OAuth scopes for token requests. By default we use
+														https://cognitiveservices.azure.com/.default — add additional scopes here if your setup requires extra permissions.</p>
+													</TooltipContent>
+												</Tooltip>
+											</TooltipProvider>
+										</div>
+										<FormControl>
+											<TagInput
+												placeholder="Add scope (Enter or comma)"
+												value={field.value ?? []}
+												onValueChange={field.onChange}
+											/>
+										</FormControl>
+										<FormMessage />
+									</FormItem>
+								)}
+							/>
 						</>
 					)}