List of applications
Look at the vertical menu on the left and click on the "My Applications" option. Here you can see the application in which you are authorized. You can also select one of the organizations to which the user belongs and show all its applications.
Figure 4: List user applications
Figure 5: List organization applications
Register an application
In home page, in the Applications section you can register new application by clicking on "Register". You can also register an application from My Application page.
Figure 6: Home register an application
There are several attributes that are mandatory:
Callback URL. Required by the OAuth 2.0 Protocol
Provider. You have to choose who is going to be the provider of the application: yourself or one of the organizations in which you are owner.
Although the rest of attributes are not mandatory, it is important to understand its functionality:
Sign-out Callback URL. This is the URL to which Keyrock will redirect a user if a sign out is performed from a service. If it is not configured, it will be redirected to the domain indicated in URL parameter. See more information under sign out oauth section
Grant Type. You can select the different ways of obtaining an OAuth Access Token. Check Connecting to IdM with OAuth2.0.
eIDAS Authentication. This attribute allows your service to authenticate users by their eID. See more information in Connecting IdM to a eIDAS Node Section.
Figure 7: KeyRock Register Application
Click on "Next".
In the second step the application's logo will be loaded by selecting a valid file type. You have the option to re-frame the chosen image.
Click on "Crop Image" when you complete this process and then click "Next".
Figure 8: Upload logo Application
Figure 9: Crop image
In the third step we set up the roles and permissions of the application. In the next section it is explained.
In this page you will find two default roles: Provider and Purchaser. If you click in one of these roles, you will see the permissions assigned to that role.
Figure 10: List of roles and permissions
You are also able to create new roles and permissions.
Figure 11: Create roles and permissions
To create a new role click on "New role" and write the name of role, after that click "Save".
Figure 12: Create a role
You are also permitted to add up new permissions by clicking on "New Permission". Here you need to enter the name of the permission, description, HTTP verb (GET, PUT, POST, DELETE, or PATCH), and the Resource, the path from which you are requesting permission to your service. This path could also be a regular expression, to that permission. Click "Create Permission" and "Finish" to finalize with creating the application. Regular expressions are pattern used to match character combinations in strings. You can get details about regular expression syntax in the following cheatsheet.
Figure 13: Create a permission
You can also configure a specific XACML rule if you need it.
In addition, you can edit and delete all the roles and permissions that you have created by clicking in the corresponding buttons.
You can configure the permissions for the new role by activating the corresponding check box. Click "Save" button to create the new assignment.
Figure 14: KeyRock New assignment
Once you have created an application, you are redirected to the page where all the information is displayed. You can also access this information by clicking in the corresponding application from "My Applications page". The Oauth2 credentials of the application are displayed in this page.
Figure 15: Application view
You can also perform several actions:
Edit the application. Here you can change applications attributes: name, description, url, redirect_uri and logo.
Manage roles. Explained in the previous section.
Register a Pep Proxy.
Register an IoT Agent.
Authorize trusted applications.
Register Pep Proxy and IoT Agents
For each application you can register a Pep Proxy in order to enable authentication and authorization via Oauth2. You can also register some IoT agents in the application to provide lightweight security mechanisms to yours IoT devices.
Figure 16: Pep Proxy and Iot Agents register
You can also reset passwords of these components or delete them.
Authorize users and organizations
You can add users or organizations in the application by clicking on the "Authorize" button.
Figure 17: KeyRock authorize
It shows a modal where you can manage Users and Groups. You can see the users or organizations and their initially assigned roles. You can search users or organizations in the right column. Note that you can assign roles after the user or organization have been added, by clicking on the roles drop down menu - below the user's icon, as shown on Figure 18 and Figure 19.
Figure 18: KeyRock Authorize users
Figure 19: KeyRock Authorize organizations
When you assign roles to an organization, you assign it to the users who are owners or members of the application. In next section is explained more in detail how to manage organizations.
Authorize trusted applications
Keyrock allows application owners to trust in other applications. Thus, a PDP check will validate if the user has a specific permission in the current application or in one of the applications in which it trusts. For adding trusted applications you can use the API or the web interface:
Figure 20: KeyRock Trusted Applications