Qodex.ai

Show PingOne Authorize App Permissions in Token

Number of APIs: 22

This activity shows you how to create a custom resource and how to use PingOne Authorize endpoints to create application roles and permissions to associate with the custom resource. The custom resource configuration includes a setting to show application permissions as a claim in the access token.

The following operations are supported by the PingOne APIs:

  • Create an application
  • Create a custom resource
  • Create PingOne Authorize application resources, roles, and permissions
  • Create a sign-on policy
  • Create login sign-on policy action
  • Create a user
  • Initiate an authorize request
  • Use flow APIs to complete the login actions
  • Use the token request to get an access token for the custom resource
  • Use the token introspection endpoint to show application permissions in the access token

Prerequisites

  • You must have the PING_ONE_AUTHORIZE capability in the Bill of Materials (BOM) for your environment to run the PingOne Authorize requests to create application resources, application roles, and application permissions.

  • Get an access token from the worker application you created in Getting Started with the PingOne APIs. If you prefer to get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. See GET a Worker Application Access Token.

Workflow order of operations

To get an access token for the custom resource, the following tasks must be completed successfully:

  1. Make a POST request to /environments/{{envID}}/applications to add a new application to the specified environment.

  2. Make a GET request to /environments/{{envID}}/applications/{{appID}}/secret to return the new application's secret attribute, which is needed for the token request.

  3. Make a POST request to /environments/{{envID}}/resources to define the custom resource.

  4. Make a POST request to /environments/{{envID}}/resources/{{resourceID}}/scopes to define a scope for the custom resource.

  5. Make a POST request to /environments/{{envID}}/applications/{{appID}}/grants to create a new resource access grant for the application.

  6. Make a POST request to /environments/{{envID}}/resources/{{customResourceID}}/applicationResources to create the application resource.

  7. Make a POST request to /environments/{{envID}}/applicationResources/{{appResourceID}}/permissions to create the application resource permission.

  8. Make a POST request to /environments/{{envID}}/applicationRoles to create an application role.

  9. Make a POST request to /environments/{{envID}}/applicationRoles/{{appRoleID}}/permissions to assign an application resource permission to the specified role.

  10. Make a POST request to /environments/{{envID}}/signOnPolicies to create a new sign-on policy.

  11. Make a POST request to /environments/{{envID}}/signOnPolicies/{{signOnPolicyID}}/actions to define the login action associated with this sign-on policy.

  12. Make a POST request to /environments/{{envID}}/applications/{{appID}}/signOnPolicyAssignments to associate the sign-on policy with the application.

  13. Make a POST request to /environments/{{envID}}/populations to create a new population.

  14. Make a POST request to /environments/{{envID}}/users to create a user who will be assigned to the new population.

  15. Make a POST request to /environments/{{envID}}/users/{{userID}}/password to set the new user's password.

  16. Make a POST request to /environments/{{envID}}/users/{{customResourceUserID}}/applicationRoles to assign the application role to a user.

  17. Make a GET request to /{{envID}}/as/authorize to obtain an authorization grant. This request starts the authorization flow.

  18. Make a GET request to /{{envID}}/flows/{{flowID}} to initiate the sign-on flow.

  19. To complete the login action, make a POST request to GET /{{envID}}/flows/{{flowID}} and provide the user's login credentials.

  20. Make a GET request to /{{envID}}/as/resume?flowId={{flowID}} to call the resume endpoint and return the auth code.

  21. Make a POST request to /{{envID}}/as/token to exchange the auth code for an access token.

  22. To verify that the token includes the application permissions, make a POST request to GET /{{envID}}/as/introspect to view the application permission claim in the token.

Run In Qodex

  1. Step 10: Create a sign-on policy POST {{apiPath}}/environments/{{envID}}/signOnPolicies

  2. Step 2: Get the application secret GET {{apiPath}}/environments/{{envID}}/applications/{{customResourceAppID}}/secret

  3. Step 20: Call the resume endpoint GET {{authPath}}/{{envID}}/as/resume?flowId={{flowID}}

  4. Step 8: Create an application role POST {{apiPath}}/environments/{{envID}}/applicationRoles

  5. Step 11: Create the login sign-on policy action POST {{apiPath}}/environments/{{envID}}/signOnPolicies/{{customResourcePolicyID}}/actions

  6. Step 12: Assign the sign-on policy to the web application POST {{apiPath}}/environments/{{envID}}/applications/{{customResourceAppID}}/signOnPolicyAssignments

  7. Step 13: Create a population POST {{apiPath}}/environments/{{envID}}/populations

  8. Step 14: Create a user POST {{apiPath}}/environments/{{envID}}/users

  9. Step 6: Create an application resource POST {{apiPath}}/environments/{{envID}}/resources/{{customResourceID}}/applicationResources

  10. Step 1: Create a web application POST {{apiPath}}/environments/{{envID}}/applications