Application deployment considerations

This document lists tasks to do and details to consider when deploying a secure, trusted application.

In this scenario, it is presumed there is an web application server as a back-end. It uses Management API to connect to onePortal. For authentication and identification OpenID Connect is used. Full example of this kind of application is the onePortal Angular Demo on another document here.

Tasks

1. Sign-in as a Developer account to Management UI. This Developer account must have permissions (roles) to do everything the application will do.
2. Create Management API Client entry by first selecting Management API on Main Menu. See "Management API - screenshots" section below and /wiki/spaces/TISpubdoc/pages/20515347.
   
   1. There are lots of settings on the editor, where all the settings are defined. Many of the settings are obvious, yet many others require careful planning and understanding on the application.
   2. API Client Owner. This is the Developer user account owning this API Client. The API Client may not have more permissions than the ownder has.
   3. The list of API Permissions available below is determined by the owner.
   4. Give minimum set of required permissions to the Management API Client. Not more.
3. Create OpenID Connect entry by first selecting OpenID Connect on Main Menu. See "OpenID Connect - screenshots" section below and here.
   1. There are many authentication-related settings. Some of these are covered here.
   2. Perhaps the most important selection here is the Confidential checkbox. If the application contians a secure component, as it is presumed we have here, then select the checkbox.
   3. Mobile clients, desktop apps and similar clients which would store the secret locally (on a tachnically unreliable locations) are not secure in this regard. On those cases, do not select the Confidential checkbox.

Management API - screenshots

OpenID Connect - screenshots