Qodex.ai

Test an OIDC Application Connection

Number of APIs: 10

To test the execution of an OpenID Connect (OIDC) connection for an application configured in your PingOne environment, you must have a working OIDC identity provider (IdP) for your environment to communicate with.

The easiest way to do this is by using two PingOne environments. You can then execute an authentication flow for an application existing in one PingOne environment by using external authentication as a user in a second PingOne environment acting as the OIDC IdP.

Prerequisites

  • Get an access token from the worker application that you created in Getting Started with the PingOne APIs. To get a token from a different worker application in an alternate sandbox environment, run the token request endpoint using the client ID and client secret of your chosen worker app to authenticate the request. For more information, see GET a Worker Application Access Token.

  • A destination PingOne environment to act as the service provider (SP) for the OIDC application. You'll use this environment to configure the OIDC IdP connection. Authentication flows in this environment can be configured to allow external authentication.

  • A source PingOne environment that will act as the OIDC IdP. Users here will be able to complete authentication flows in the destination environment.

  • Cross-environment admin permissions for the destination and source environments.

  • A PingOne access token for each environment.

This scenario illustrates the following operations supported by the PingOne APIs:

  • Create an OIDC application in the source environment.
  • Create an OIDC IdP in the destination environment referencing the source application.
  • Create a sign-on policy in the destination environment.
  • Create a sign-on policy action to enable the sign-on policy for the OIDC IdP connection.
  • Set the sign-on policy as the default for the destination environment.
  • Initiate an authorization request.

Workflow order of operations

To test the OIDC application connection, the following tasks must be completed successfully:

  1. Make POST requests to /environments to create a source environment and a destination environment.

  2. Make a POST request to /environments/{{sourceEnvID}}/applications to create an OIDC application in the source environment.

  3. Make a GET request to /environments/{{sourceEnvID}}/applications/{{appID}}/secret to read the OIDC application secret.

  4. Make a POST request to /environments/{{destinationEnvID}}/identityProviders to create an OIDC IdP in the destination environment.

  5. Make a POST request to /environments/{{destinationEnvID}}/signOnPolicies to create a sign-on policy for the IdP in the destination environment.

  6. Make a POST request to /environments/{{destinationEnvID}}/signOnPolicies/{{policyID}}/actions to create a new IDENTIFIER_FIRST sign-on policy action associated with the new sign-on policy.

  7. Make a PUT request to /environments/{{destinationEnvID}}/signOnPolicies/{{policyID}} to set the policy as default.

  8. Make a POST request to /environments/{{destinationEnvID}}/applications to create an OIDC application in the destination environment.

  9. Make a POST request to /environments/{{destinationEnvID}}/applications/{{appID}}/signOnPolicyAssignments to assign the sign-on policy to the destination OIDC application.

  10. Make a GET request to /{{destinationEnvID}}/as/authorize to retrieve an authorization grant.

Execute the authentication flow

  1. Open a private browser window, and enter the Location header URL that was returned from the /as/authorize call.

  2. Click the button that matches your OIDC IdP connection.

  3. Authenticate as a user in the source environment. Depending on your configuration, you may need to perform account linking or user verification.

You should be able to sign on as a source environment user, indicating that authentication from the source environment to the OIDC IdP in the destination environment is working. After authenticating, you are taken to the redirect_uri of the application in your destination environment.

  1. Step 5: Create a sign-on policy for the OIDC IdP POST {{apiPath}}/environments/{{destinationEnvID}}/signOnPolicies

  2. Step 1b: Create Destination Environment POST {{apiPath}}/environments

  3. Step 3: Read the OIDC application secret GET {{apiPath}}/environments/{{sourceEnvID}}/applications/{{oidcAppSourceID}}/secret

  4. Step 4: Create OIDC provider in destination environment POST {{apiPath}}/environments/{{destinationEnvID}}/identityProviders

  5. Step 6: Create a sign-on policy action POST {{apiPath}}/environments/{{destinationEnvID}}/signOnPolicies/{{oidcSignonPolicyID}}/actions

  6. Step 8: Create an OIDC application in the destination environment POST {{apiPath}}/environments/{{destinationEnvID}}/applications

  7. Step 9: Assign the sign-on policy to the destination OIDC application POST {{apiPath}}/environments/{{destinationEnvID}}/applications/{{oidcAppDestinationID}}/signOnPolicyAssignments

  8. Step 2: Create an OIDC application in the source environment POST {{apiPath}}/environments/{{sourceEnvID}}/applications

  9. Step 7: Set the sign-on policy as the default PUT {{apiPath}}/environments/{{destinationEnvID}}/signOnPolicies/{{oidcSignonPolicyID}}

  10. Step 10: Send an authorization request GET {{authPath}}/{{destinationEnvID}}/as/authorize?response_type=code&client_id={{oidcAppDestinationID}}&redirect_uri=https://example.com&scope=openid profile&nonce=123