Get started

Guides

Applications

Applications are central to how OLAF manages authentication, user access, and customizations. Each application represents a set of configurations and permissions tailored to specific use cases, providing flexibility and control over your authentication workflows.

What is an Application in OLAF

An application in OLAF represents a logical grouping of configurations, credentials, users, and permissions. Applications can be used to manage user authentication and provide customization for specific environments (e.g., development, staging, production) or distinct client use cases.

How Applications Work

Applications in OLAF are designed to provide a flexible and secure foundation for managing authentication, permissions, and branding. Here’s how they function:

  • Unique Identifiers and Credentials: Each application has a unique App ID along with credentials such as a Client ID and Client Secret. These credentials are essential for authenticating your application with OLAF.
  • Hosts and Callback URLs: Applications can be assigned specific hosts and callback URLs, which are required to enable secure authentication workflows. These configurations ensure requests are routed correctly during user sign-in and authentication processes.
  • Permissions and User Groups: Permissions and user groups are defined at the application level, allowing for fine-grained control over user access. Admins can create custom permission sets and assign them to individual users or groups to meet specific access control requirements.
  • Styling for Branding: Applications include a Styling Tab where users can apply custom style properties, such as colors, logos, and typography, to better align the application with their branding requirements. This ensures that login pages, emails, and other user-facing components reflect your organization’s identity.

By combining these elements, OLAF enables you to manage applications with flexibility, security, and a seamless branded experience.

Protected Application

In OLAF, the Dashboard app is the only Protected Application. It is specifically designed to manage dashboard functionalities, such as styling and permissions. All other settings for this application are locked and cannot be modified or deleted.

Managing Applications

Add New

To add a new application:

  1. Navigate to the Applications section in the OLAF dashboard.
  2. Click Add new button.
  3. Provide the Application Type (e.g., Authorization) and Application Name.
  4. Save the application.

Delete Existing

To delete an application:

  1. Open the Applications section.
  2. Select the application you wish to delete.
  3. Navigate to Danger Zone section.
  4. Click on a button Delete App.
  5. In the confirmation dialog, type the application name.
  6. Confirm the action. Deleting an application will remove all associated data, including users, hosts, and permissions.

Application Details

Each application in OLAF has multiple tabs for configuration and management:

General

Basic Info

This section provides key details about the application, including:

  • App ID: The unique identifier for the application.
  • Application Type: The type of the application (e.g., Authorization).
  • Creation Date: The date when the application was created.

Credentials

The Credentials section provides access to the application’s Client ID and Client Secret, which are critical for integrating your application with external systems and services via OLAF’s OpenID implementation.

  • View and Regenerate: Securely view or regenerate the Client ID and Client Secret as needed to maintain application security and functionality.
  • Purpose: These credentials authenticate your application with OLAF, enabling secure communication during both authentication and authorization processes.

It is vital to store these credentials securely and only share them with trusted systems to prevent unauthorized access or misuse.

Hosts

The Hosts Tab is where you manage the configuration of callback URLs, which are essential for the authentication process.

  • Callback URLs: These URLs are used during the authorization flow to redirect users back to your application after OLAF has processed their authentication. The OLAF SDK utilizes these callback URLs to construct the appropriate sign-in URL, ensuring a seamless and secure authentication experience.

In this section, you can add, edit, or remove authorized callback URLs as needed to match your application’s requirements.

Users

The Users Tab allows you to manage users associated with your application. Currently, it provides the following functionality:

  • Add Users: Users can be added by clicking the Add Users button, which opens a dialog displaying a list of all eligible users. The dialog includes a search functionality to quickly find the desired users.
  • Remove Users: Users can be removed from the application directly through this tab by clicking on the trash icon.

Permissions

The Permissions Tab allows you to manage access control at a granular level:

Custom Permissions

  • Define specific actions or resources that users can access.
  • Assign these permissions to users or groups.

Custom Groups

  • Create permission groups (e.g., Admins, Editors) to streamline user role assignments.
  • Modify group permissions as needed.

Learn more at Permission Management guide.

Styling

The Styling Tab enables you to customize the visual appearance of your application:

  • Configure style properties such as colors, logos, and typography.
  • Preview how the application will look for end users.

Best Practices

Regularly Rotate Credentials

Rotating credentials such as Client IDs and Client Secrets is a critical practice to protect your application from unauthorized access. Here’s why and how you should do it:

Why Rotate Credentials?

  • Prevent misuse in case credentials are leaked or exposed.
  • Ensure compliance with security policies and regulations.
  • Mitigate risks associated with stale or compromised credentials.

How to Rotate Credentials in OLAF

  1. Navigate to the General Tab of your application in the OLAF dashboard.
  2. Locate the Client ID and Client Secret sections.
  3. Click on the Create new button next to the Client Secret label to create new credentials.
  4. Update your application’s configuration with the new credentials immediately.
  5. Test the application to ensure that the new credentials work as expected.

Tips for Credential Rotation

  • Schedule regular credential rotation (e.g., every 90 days).
  • Notify your team in advance when rotating credentials to avoid disruptions.
  • Remove old credentials immediately after generating new ones to minimize the attack surface.

Least Privilege Principle

The Least Privilege Principle ensures that users, applications, and processes only have the permissions necessary to perform their tasks—nothing more. Implementing this principle minimizes security risks and reduces the likelihood of unintended access or actions.

Why Follow the Least Privilege Principle?

  • Prevent unauthorized access to sensitive data or features.
  • Limit the impact of compromised accounts.
  • Improve compliance with security and privacy regulations.

How to Apply Least Privilege in OLAF

  1. Define Custom Permissions:
  • Use the Permissions Tab to create specific permissions for each role or resource.
  • Example: Grant “View Only” permissions to auditors instead of full access.
  1. Assign Permissions Thoughtfully:
  • Avoid granting global permissions (e.g., Admin) to users who don’t need them.
  • Use the Custom Groups feature to assign predefined permissions to groups of users.
  1. Regularly Review Permissions:
  • Periodically audit user roles and permissions in the Users Tab.
  • Remove permissions from users who no longer require access.

Tips for Effective Permission Management

  • Start with minimal permissions and gradually add access as needed.
  • Use logs and analytics to monitor how permissions are used.
  • Automate permission cleanup for inactive users or expired sessions.
Previous
Next Steps
Next
Users