Configure an Application with an Authorization Code Grant
Number of APIs: 13
This activity shows you how to create an application, configure its connection settings, create a resource access grant, and initiate an authorization request. After an access token is generated, it is used by a user to update a user attribute.
The following operations are supported by the PingOne APIs:
- Create an application
- Create a resource access grant
- Initiate an
authorization_codeauthorization flow - Update a user attribute
Best practices for application secrets
Do not store an application secret in applications that are publicly available.
For security purposes, regenerate application secrets regularly (see Update the application secret).
If you suspect an application secret has been compromised, generate a new application secret immediately.
Prerequisites
Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, see GET a Worker Application Access Token.
Workflow order of operations
To configure an application and initiate an authorization code flow, the following tasks must be completed successfully:
Make a
POSTrequest to/environments/{{envID}}/applicationsto add a new application to the specified environment.Make a
GETrequest to/environments/{{envID}}/applications/{{appID}}/secretto return the new application'ssecretattribute.Make a
GETrequest to/environments/{{envID}}/resourcesto return a list of all resource entities associated with the specified environment to get the ID for the PingOne platform resource.Make a
GETrequest to/environments/{{envID}}/resources/{{resourceID}}/scopesto list all scopes associated with a specified resource (the PingOne platform resource).Make a
POSTrequest to/environments/{{envID}}/applications/{{appID}}/grantsto create a new resource access grant for the application.Make a
POSTrequest to/environments/{{envID}}/populationsto create a new population resource.Make a
POSTrequest to/environments/{{envID}}/usersto create a user who will be associated with the new population resource.Make a
POSTrequest to/environments/{{envID}}/users/{{userID}}/passwordto set the new user's password.Make a
POSTrequest to/{{envID}}/as/authorizeto obtain an authorization grant. This request starts the authorization flow.To initiate the authentication flow, make a
GETrequest toGET /{{envID}}/flows/{{flowID}}.To complete the authentication flow, make a
POSTrequest toGET /{{envID}}/flows/{{flowID}}and provide the user's login credentials.Make a
GETrequest to/{{envID}}/as/resume?flowId={{flowID}}to call the resume endpoint and return the token.After the authorization flow completes and returns an auth code, make a
POSTrequest to/{{envID}}/as/tokento exchange the auth code for an access token.
-
Step 3: Get the list of resources GET {{apiPath}}/environments/{{envID}}/resources
-
Step 1: Create an OpenID Connect (OIDC) application POST {{apiPath}}/environments/{{envID}}/applications
-
Step 6: Create a population POST {{apiPath}}/environments/{{envID}}/populations
-
Step 7: Create user POST {{apiPath}}/environments/{{envID}}/users
-
Step 8: Set user password PUT {{apiPath}}/environments/{{envID}}/users/{{appUserID}}/password
-
Step 10: Get the flow GET {{authPath}}/{{envID}}/flows/{{flowID}}
-
Step 11: Submit login credentials POST {{authPath}}/{{envID}}/flows/{{flowID}}
-
Step 12: Call the resume endpoint GET {{authPath}}/{{envID}}/as/resume?flowId={{flowID}}
-
Step 2: Get the application secret GET {{apiPath}}/environments/{{envID}}/applications/{{AppWithCodeGrantID}}/secret
-
Step 5: Create the application's resource access grant POST {{apiPath}}/environments/{{envID}}/applications/{{AppWithCodeGrantID}}/grants