feat: add scopes field in azure key config for entra id auth

[TejasGhatte]

Add configurable OAuth scopes for Azure authentication

This PR adds support for custom OAuth scopes when authenticating with Azure Entra ID. Previously, the Azure provider used a hardcoded scope (https://cognitiveservices.azure.com/.default), but some Azure environments may require different or additional scopes.

Changes

• Added a new scopes field to the AzureKeyConfig structure to allow specifying custom OAuth scopes
• Modified the Azure authentication code to use the custom scopes when provided, falling back to the default scope
• Added database migration to support storing the scopes in the database
• Updated UI to allow configuring custom scopes in the Azure provider settings
• Updated documentation to reflect the new configuration option

Type of change

• Feature
• Documentation

Affected areas

• Core (Go)
• Providers/Integrations
• UI (Next.js)
• Docs

How to test

1. Configure an Azure provider with custom scopes:

{
  "provider": "azure",
  "azure_key_config": {
    "endpoint": "https://your-endpoint.openai.azure.com/",
    "client_id": "your-client-id",
    "client_secret": "your-client-secret",
    "tenant_id": "your-tenant-id",
    "scopes": ["https://cognitiveservices.azure.com/.default", "custom-scope"]
  }
}

2. Verify that the authentication works with the custom scopes
3. Verify that the default scope is used when no custom scopes are provided

Breaking changes

• No

Security considerations

This change enhances security by allowing more granular control over the OAuth scopes used for Azure authentication, which follows the principle of least privilege.

Checklist

• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added support for custom OAuth scopes for Azure Entra ID authentication; scopes are applied when obtaining tokens. UI adds a Scopes field with tag-style input.

• Documentation

  • Updated docs, examples, API schemas, and changelogs to document the new Scopes field and its default.

• Chores

  • Scopes are persisted in configuration storage and a database migration was added to store them.

Walkthrough

Adds optional Azure OAuth scopes across schema, UI, persistence, migration, and provider code; token requests now use a cleaned scopes list from AzureKeyConfig.Scopes (falling back to default), and scopes are persisted, redacted, validated, and documented.

Changes

Cohort / File(s)	Summary
Core Azure provider core/providers/azure/azure.go, core/providers/azure/files.go, core/providers/azure/utils.go	Introduce getAzureScopes to normalize scopes and use its result for token acquisition instead of the hard-coded default scope.
Schema & types core/schemas/account.go, ui/lib/types/config.ts, ui/lib/types/schemas.ts, docs/openapi/schemas/management/providers.yaml	Add optional scopes field to AzureKeyConfig in backend schema, frontend TS types, Zod validation, and OpenAPI schema.
Database + migration framework/configstore/tables/key.go, framework/configstore/tables/virtualkey.go, framework/configstore/migrations.go	Add azure_scopes DB column and AzureScopesJSON field; marshal/unmarshal JSON scopes in BeforeSave/AfterFind; add migration with upgrade and rollback.
Configstore redaction framework/configstore/clientconfig.go	Include Azure Scopes when constructing redacted ProviderConfig.
Frontend UI ui/app/workspace/providers/fragments/apiKeysFormFragment.tsx	Add TagInput-based scopes FormField, wire to form state, and clear scopes when Azure auth type changes.
Docs & changelogs core/changelog.md, transports/changelog.md, docs/providers/supported-providers/azure.mdx, docs/quickstart/gateway/provider-configuration.mdx	Document the new scopes field in examples and parameter lists; add changelog entries.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant UI as "UI Form"
    participant API as "Config API"
    participant DB as "Database"
    participant Provider as "Azure Provider"
    participant Azure as "Azure Entra ID"

    User->>UI: Enter/save key + custom scopes
    UI->>API: Submit key config (includes scopes)
    API->>DB: Persist key (azure_scopes column)
    DB-->>API: OK

    Provider->>DB: Load key config
    DB-->>Provider: Key config (deserialized scopes)
    Provider->>Azure: Request token with scopes (custom or default)
    Azure-->>Provider: Access token
    Provider-->>User: Return token

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I nibble scopes from UI to store,

Saved as JSON, migrated through the door,
Form tags hop in, config takes flight,
Tokens now ask what feels right,
A little rabbit cheers—scopes set just right!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main feature: adding a scopes field to Azure key config for Entra ID authentication.
Description check	✅ Passed	The description comprehensively covers all required template sections including summary, detailed changes, type of change, affected areas, testing instructions, breaking changes, security considerations, and completion of the checklist.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 02-04-feat_add_scopes_field_in_azure_key_config_for_entra_id_auth

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🧪 Test Suite Available

This PR can be tested by a repository admin.

Run tests for PR #1553

[TejasGhatte]

• fix: disable enforce governance header when governance is disabled #1555
• feat: add scopes field in azure key config for entra id auth #1553 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[akshaydeo]

added inline comments

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@core/providers/azure/azure.go`:
- Around line 86-93: The Azure token request must not include empty or
whitespace-only scopes: before calling cred.GetToken (and when building
policy.TokenRequestOptions), normalize key.AzureKeyConfig.Scopes by trimming
each entry and filtering out empty strings, then if the resulting slice is empty
set scopes = []string{DefaultAzureScope}; for client credentials ensure you pass
the single cleaned scope that ends with "/.default" (or fallback to
DefaultAzureScope) into TokenRequestOptions so cred.GetToken receives only
valid, trimmed scopes.

In `@framework/configstore/tables/key.go`:
- Around line 99-107: The code references AzureKeyConfig.Scopes (in key.go
around the AzureScopesJSON handling) but the build-time schema for
schemas.AzureKeyConfig does not define Scopes; update the schema used at build
time so schemas.AzureKeyConfig includes the Scopes field (with the correct type,
e.g., []string) or, if the schema intentionally uses a different field name,
change the code to read that existing field instead of Scopes; ensure all
duplicated/alternate schema definitions are synchronized so AzureKeyConfig and
the code paths setting AzureScopesJSON (and the similar block around lines
~232-245) compile against the same field name.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@core/providers/azure/azure.go`:
- Around line 86-89: The getAzureScopes helper currently appends the untrimmed
scope string causing potential Azure auth failures; update the function
(getAzureScopes in utils.go) to append the trimmed value (use
strings.TrimSpace(s)) instead of the original s so only whitespace-trimmed scope
entries are returned and passed to cred.GetToken.

🧹 Nitpick comments (2)

core/providers/azure/utils.go (1)

67-81: Consider trimming scope strings before adding them.

The function checks if the trimmed value is non-empty (line 72) but appends the original untrimmed string (line 73). If a user accidentally provides a scope with leading/trailing whitespace, it would pass validation but could cause authentication issues.

♻️ Proposed fix to trim scopes

 func getAzureScopes(configuredScopes []string) []string {
 	scopes := []string{DefaultAzureScope}
 	if len(configuredScopes) > 0 {
 		cleaned := make([]string, 0, len(configuredScopes))
 		for _, s := range configuredScopes {
-			if strings.TrimSpace(s) != "" {
-				cleaned = append(cleaned, s)
+			trimmed := strings.TrimSpace(s)
+			if trimmed != "" {
+				cleaned = append(cleaned, trimmed)
 			}
 		}
 		if len(cleaned) > 0 {
 			scopes = cleaned
 		}
 	}
 	return scopes
 }

framework/configstore/clientconfig.go (1)

296-298: Consider defensive copy of the scopes slice.

The current implementation assigns the slice reference directly, which means modifications to the redacted config's scopes would affect the original. While this follows the existing pattern for Deployments and other fields in this function, a defensive copy would be safer.

🛡️ Optional: Defensive copy

 			if len(key.AzureKeyConfig.Scopes) > 0 {
-				azureConfig.Scopes = key.AzureKeyConfig.Scopes
+				azureConfig.Scopes = make([]string, len(key.AzureKeyConfig.Scopes))
+				copy(azureConfig.Scopes, key.AzureKeyConfig.Scopes)
 			}

[akshaydeo]

Merge activity

• Feb 5, 10:39 AM UTC: A user started a stack merge that includes this pull request via Graphite.
• Feb 5, 10:40 AM UTC: Graphite couldn't merge this PR because it had merge conflicts.
• Feb 5, 3:06 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Feb 5, 3:06 PM UTC: @akshaydeo merged this pull request with Graphite.