Application deployment considerations
This document lists tasks to do and details to consider when deploying a secure, trusted application.
In this scenario, it is presumed there is an web application server as a back-end. It uses Management API to connect to onePortal. For authentication and identification OpenID Connect is used.
Tasks
- Sign-in as a Developer account to Management UI. This Developer account must have permissions (roles) to do everything the application will do.
- Create Management API Client entry by first selecting Management API
on Main Menu.
- There are lots of settings on the editor, where all the settings are defined. Many of the settings are obvious, yet many others require careful planning and understanding on the application.
- API Client Owner. This is the Developer user account owning this API Client. The API Client may not have more permissions than the owner has.
- The list of API Permissions available below is determined by the owner.
- Give minimum set of required permissions to the Management API Client. Not more.
- Create OpenID Connect entry by first selecting OpenID Connect on
Main Menu. See "OpenID Connect - screenshots" section below and
here.
- There are many authentication-related settings. Some of these are covered here.
- Perhaps the most important selection here is the Confidential checkbox. If the application contains a secure component, as it is presumed we have here, then select the checkbox.
- Mobile clients, desktop apps and similar clients which would store the secret locally (on a technically unreliable locations) are not secure in this regard. On those cases, do not select the Confidential checkbox.