Document how to use custom scopes per endpoint

[arribatec-cloud-1]

My app has many features and I want granular control of which features (endpoints) are available to which users.

I can currently sign on with my azure account, but how do I actually provide granular authorization?

I am able to go into Azure portal and register roles on my user but I don't know how to look at those roles in my app to provide granular access. What is the best way to do this? This should be documented.

[tomasvotava]

This is actually needlessly difficult right now, the responsibility should move away from the SSOBase itself. Each openid should know its own scopes, which it doesn't, but you could try something like this:

...

sso_login = MicrosoftSSO("client_id", "client_secret", scope=["User.read"])
sso_onedrive = MicrosoftSSO("client_id", "client_secret", scope=["User.read", "Files.read.all"])

You can then use sso_onedrive to ask user for additional permissions. You will have to "remember" the scope for the user yourself, also the scopes may be nonsensical, I didn't open Microsoft's docs.