Permalink:
Acquiring the client ID and client secret
The client ID and the client secret are acquired via the web UI by navigating to the Management API view from the main menu (See figure below). A new client can be registered by clicking the Register new button, which opens a new view where client information can be specified.
The client must have a name and a specified owner. The selected owner is considered responsible for the use of the client credentials and the client. The client owner will also act as a contact person regarding the client. Additionally a client’s access should be restricted to a minimal set of namespaces and permissions. The client can also have rules regarding allowed or disallowed IP addresses.
After saving the new client information a pop-up window will show the newly generated client ID and client secret. (See figure below) By design, the client secret is confidential and will only be shown once. After closing the window the client secret can not be obtained again, but it’s possible to generate and show a new client secret. However, the client ID is not confidential and can be viewed at any time at the Management API view.
Renewing Client Secret
It is possible to renew the client secret. However, please note that renewing the secret renders old clients immediately as non-functional.
To renew the secret, navigate to the Management API view and select your client on the list. After selecting the client, click the “reset secret” button on the toolbar to reset the secret. The client secret will be regenerated but the client ID will remain unchanged.
Configuring the client
When creating a new client, it should be configured accordingly in the onePortal web UI, which is shown in Figure 3. The web UI has options for namespaces the client is allowed to access as well as the permissions that the client will have.
As noted earlier the client access configuration should follow the principle of least privilege, which means that the client should only have access to the resources that are necessary for it to perform it’s tasks.
The available API permissions are likely to increase in number along with the number of features in onePortal. Maintained list of permissions will not be included in this document. However, the permission required by each resource is listed in the API documentation.
The IP address rules can be used to restrict the source IP addresses where requests are allowed. The IP addresses are entered in CIDR notation format. IP address ranges can easily be converted to CIDR notation format by using a tool found in ipadressguide.com. There are plenty of similar tools freely available.
The IP addresses can be either allowed or restricted. The logic used to evaluate the list of allowed and disallowed IP addresses is quite simple. If there are 'Allowed' rules, the IP address must match at least one of them. If there are 'Disallowed' rules, the IP address must not match any of them.