This article describes how to define which of the official DRACOON apps and tools your users are allowed to use.
If you develop your own apps, scripts or integrations for DRACOON, you will also learn how to register a new own OAuth app for this in DRACOON to enable your self-developed solution to log in to DRACOON. It is also explained how you can subsequently lock, change or remove such a self-added OAuth app registration.
Who is allowed to block or allow DRACOON apps and edit OAuth app registrations?
To lock or allow official DRACOON apps as well as edit own OAuth app registrations in DRACOON only users with the role Configuration manager are allowed to do so.
Topics of this article
Allow or block official DRACOON apps
Numerous official DRACOON apps and clients are available for the use of a DRACOON environment. Besides the DRACOON Web App - the central for administration and use of DRACOON - these are e.g. apps for integration in Windows and macOS (DRACOON for Windows and Mac), apps for mobile devices (DRACOON for iOS, DRACOON for Android), but also administrative additional tools like the DRACOON Reporting Tool, which is used to evaluate the audit log.
By default, all official DRACOON apps are approved for use in your DRACOON environment. If you do not want certain of these apps to be used by all your users, you can block them.
To allow or block the use of certain official DRACOON apps:
- In the left sidebar, click Settings and then Apps.
- A list of all official DRACOON apps and clients is displayed. A switch to the right of each app indicates whether the respective app can be used by the users of your DRACOON environment (switch on) or not (switch off).
- If you want to change the permission of a specific app, click the corresponding button. For example, to prevent the use of DRACOON with WebDAV (e.g. because you want your users to better use the more powerful DRACOON for Windows/Mac instead of WebDAV), set the relevant switch to Off.
Notes on specific DRACOON apps
- The DRACOON Branding Swagger UI is an interactive application for documentation and testing of the DRACOON Branding API. This app is only needed if you want to access the branding of your DRACOON directly via the API using the associated Swagger UI (e.g. while developing your own script). The DRACOON branding Swagger UI is accessible at yourdracoon/branding/api/.
- Die DRACOON Branding Web App serves for the Configuration of a branding (e.g. logos, colors) for DRACOON.
- DRACOON Legacy Scripting Support allows you to use your own scripts that access the DRACOON API without having to register your own OAuth app (see below). This app cannot be used if you use OpenID Connect for user authentication.
- DRACOON Reporting is the available at our WebApp, with which your auditors can view and evaluate the audit log of your DRACOON environment and download it as a CSV or PDF file.
- The DRACOON Swagger UI is an interactive application for documentation and testing of the DRACOON API. This app is helpful if you develop your own DRACOON solutions (e.g. a script that accesses the DRACOON API). The DRACOON Swagger UI can be accessed at yourdracoon/api/.
- The DRACOON Web App cannot be deactivated because it is indispensable for managing DRACOON.
Register new own OAuth app
DRACOON offers an extensive programming interface (API). This makes it possible to develop your own custom scripts, apps and solutions using the full functionality of DRACOON. Almost all endpoints of the DRACOON API first require authentication (login) with a desired DRACOON user account before the respective API functions can be used with the authenticated user's permissions. DRACOON uses for user authentication (and at the same time authorization of the developed solution) the widely used OAuth 2.0-standard.
Before a self-developed DRACOON solution can authenticate a user for API access, the solution must be registered as a new custom OAuth app in DRACOON.
To register your self-developed DRACOON solution as a new OAuth app in DRACOON:
- In the left sidebar, click Settings and then Apps.
- Click the My Apps tab.
- Click the Add button to the right of Manage My Apps.
- The Configure App dialog box is displayed, which can be used to register a new OAuth app in DRACOON.
- Enter any meaningful name for your app/solution in the Name field.
- In the field Client ID an identifier must be deposited, which identifies your App unambiguously. DRACOON generates a random Client ID automatically when creating a new App configuration and enters this independently in the field. You can display this by clicking on the eye button to the right of the field and copy it to the clipboard by clicking on the copy button next to it, e.g. to paste it into a script. If you do not like the Client ID suggested by DRACOON, you can also enter your own value in the field, which can also consist of letters, e.g. dracoon_company_user_management_script.
- In the field Client Secret an identifier must be deposited, which serves as a kind of additional password for the authorization of your solution at the DRACOON. This is also randomly generated by DRACOON and entered as a default, but can be replaced by your own value.
- For Grant Types, use the check boxes to select which authorization approval procedures to use.
-
authorization_code or implicit: These two procedures are used, for example, when the user in question authenticates himself to DRACOON via OpenID Connect. In this case, the OpenID Connect provider usually displays a login mask for entering the credentials (whereby the credentials entered are not passed on to the app concerned, but only a so-called access token, which represents increased security by shielding the credentials).
This method is also called three-legged OAuth flow.
Choose this method if, for example, you are developing an app that you want your users to be able to log in to manually, or if you want your solution to also be able to be used via OpenID Connect. -
password: This is the simplest procedure, which is particularly suitable for use in scripts, which are to run automatically. The username and password of the DRACOON user are stored and transferred directly in the script without a login mask appearing which would require user interaction.
This procedure is also called two-legged OAuth flow.
Note: This method can only be used with local DRACOON user accounts and Active Directory authentication, but not in conjunction with OpenID Connect!
-
authorization_code or implicit: These two procedures are used, for example, when the user in question authenticates himself to DRACOON via OpenID Connect. In this case, the OpenID Connect provider usually displays a login mask for entering the credentials (whereby the credentials entered are not passed on to the app concerned, but only a so-called access token, which represents increased security by shielding the credentials).
- The default validity for an Access Token until it expires is 8 hours. If you want a different value, enter it in seconds in the Access Token field - otherwise leave the field blank to use the default value of 8 hours.
- The Refresh Token allows an app to automatically request a new Access Token when the latter expires (without the user having to re-authenticate). The default validity for a Refresh Token until it expires is 30 days. If you want a different value, enter it in seconds in the Refresh Token field - otherwise leave the field blank to use the default value of 30 days.
- If you are using the authorization_code or implicit grant type, enter one or more Internet addresses required by your OpenID Connect provider (IdP) in the Redirect URI field (consult your OpenID Connect provider's documentation for which URIs are required, if necessary). By clicking the small + button to the right of the input field, you can add more URIs if necessary.
- Click Save to complete the OAuth configuration of your app in DRACOON and register it in DRACOON.
A new OAuth app can also be installed in DRACOON directly via the API, without performing the above steps in the DRACOON Web App.
Lock, change or delete registered own OAuth app
If necessary, you can temporarily block an already registered own OAuth app, check/change its configuration or remove the app's registration from DRACOON.
-
Lock app: To temporarily block your own registered OAuth app, set the switch to the right of the app to Off. The app/solution can then no longer authorize itself on your DRACOON and no longer access the DRACOON API.
- View/change app configuration: To view or edit the DRACOON configuration of your own registered OAuth app, click the pencil button to the right of the app. After that, the "Configure App" dialog box is displayed, where you can check the app configuration and make changes to it if necessary (see above).
-
Delete app: If you no longer need a registered custom OAuth app, you can delete its registration from DRACOON. To do this, click the X button to the right of the app and confirm the warning message. The app/solution can then permanently no longer authorize itself with your DRACOON environment and no longer access the DRACOON API.
Comments
0 comments
Article is closed for comments.