Qodex.ai

Test an OAuth Connection using Identifier First Authentication

Number of APIs: 21

This activity shows you how to test an OAuth connection using the identifier first login flow.

The easiest way to do this is by using two PingOne environments. This allows you to create a sign-on policy in one environment, and initiate the identifier first login flow as a user in the other environment, acting as the OIDC identity provider (IdP).

The identifier first login flow will first prompt a user for a username, and then use the identity provider discovery rules defined in the sign-on policy to route the user to the correct external identity provider for authentication. In this case, there will be one discoverable path, which is to sign on with a password. You will then call the resume endpoint to complete authorization and obtain an access token.

Prerequisites

  • Get an access token from the worker application that you created in Getting Started with the PingOne APIs.

  • A destination PingOne environment to act as the service provider (SP) for the OIDC application. You'll use this environment to configure the OIDC IdP connection. Authentication flows in this environment can be configured to allow external authentication.

  • A source PingOne environment that will act as the OIDC IdP. Users here will be able to complete authentication flows in the destination environment.

  • Cross-environment admin permissions for the destination and source environments.

  • A PingOne access token for each environment.

This scenario illustrates the following operations supported by the PingOne APIs:

  • Create an OIDC application in the source environment.
  • Create an OIDC IdP in the destination environment referencing the source application.
  • Create a sign-on policy in the destination environment.
  • Create a sign-on policy action to enable the sign-on policy for the OIDC IdP connection.
  • Set the sign-on policy as the default for the destination environment.
  • Create an OIDC application in the destination environment.
  • Set the sign-on policy as the default for the destination environment.
  • Create a population in the source and destination environments.
  • Create users in the source and destination environments.
  • Initiate an authorization request.
  • Get the flow to read the sign-on policy associated with the OIDC application.
  • Pass in the user credentials for verification.
  • Retrieve the authorization code from the authorization server by calling the resume endpoint.
  • Exchange the authorization code for the access token.

Workflow order of operations

To test an OAuth connection using the identifier first login flow, the following tasks must be completed successfully:

  1. Make POST requests to /environments to create a source environment and a destination environment.

  2. Make a POST request to /environments/{{sourceEnvID}}/applications to create an OIDC application in the source environment.

  3. Make a GET request to /environments/{{sourceEnvID}}/applications/{{appID}}/secret to read the OIDC application secret.

  4. Make a POST request to /environments/{{destinationEnvID}}/identityProviders to create an OIDC IdP in the destination environment.

  5. Make a POST request to /environments/{{destinationEnvID}}/signOnPolicies to create a sign-on policy for the IdP in the destination environment.

  6. Make a POST request to /environments/{{destinationEnvID}}/signOnPolicies/{{policyID}}/actions to create a new IDENTIFIER_FIRST sign-on policy action associated with the new sign-on policy.

  7. Make a PUT request to /environments/{{destinationEnvID}}/signOnPolicies/{{policyID}} to set the policy as default.

  8. Make a POST request to /environments/{{destinationEnvID}}/applications to create an OIDC application in the destination environment.

  9. Make a GET request to /environments/{{destinationEnvID}}/applications/{{oidcAppDestinationID}}/secret to read the application secret in the destination.

  10. Make a POST request to /environments/{{destinationEnvID}}/applications/{{appID}}/signOnPolicyAssignments to assign the sign-on policy to the destination OIDC application.

  11. Make a POST request to /environments/{{sourceEnvID}}/populations to create a population in the source environment.

  12. Make a POST request to /environments/{{destinationEnvID}}/populations to create a population in the destination environment.

  13. Make a POST request to /environments/{{sourceEnvID}}/users to create a user in the source environment.

  14. Make a POST request to /environments/{{destinationEnvID}}/users to create a user in the destination environment.

  15. Make a PUT request to /environments/{{sourceEnvID}}/users/{{SourceUserID}}/password to set the source user's password.

  16. Make a PUT request to /environments/{{destinationEnvID}}/users/{{DestinationUserID}}/password to set the destination user's password.

  17. Make a GET request to /{{destinationEnvID}}/as/authorize to retrieve an authorization grant.

  18. Make a GET request to /{{destinationEnvID}}/flows/{{flowID}} to retrieve the flow.

  19. Make a POST request to /{{destinationEnvID}}/flows/{{flowID}} to sign on with the destination user.

  20. Make a POST request to /{{destinationEnvID}}/flows/{{flowID}} to verify the destination user's password.

  21. Make a GET request to /{{destinationEnvID}}/as/resume?flowId={{flowID}} to call the resume endpoint.

  22. Make a POST request to /{{destinationEnvID}}/as/token to retrieve the access token.

Run In Qodex

  1. Step 11: Assign the sign-on policy to the destination OIDC application POST {{apiPath}}/environments/{{destinationEnvID}}/applications/{{oidcAppDestinationID}}/signOnPolicyAssignments

  2. Step 12: Create a source population POST {{apiPath}}/environments/{{sourceEnvID}}/populations

  3. Step 13: Create a destination population POST {{apiPath}}/environments/{{destinationEnvID}}/populations

  4. Step 4: Read the OIDC application secret GET {{apiPath}}/environments/{{sourceEnvID}}/applications/{{oidcAppSourceID}}/secret

  5. Step 15: Create a destination user POST {{apiPath}}/environments/{{destinationEnvID}}/users

  6. Step 14: Create a source user POST {{apiPath}}/environments/{{sourceEnvID}}/users

  7. Step 2: Create Destination Environment POST {{apiPath}}/environments

  8. Step 3: Create an OIDC application in the source environment POST {{apiPath}}/environments/{{sourceEnvID}}/applications

  9. Step 5: Create OIDC IdP in destination environment POST {{apiPath}}/environments/{{destinationEnvID}}/identityProviders

  10. Step 6: Create a sign-on policy for the OIDC IdP POST {{apiPath}}/environments/{{destinationEnvID}}/signOnPolicies