PingAccess

Adding one-time authorization rules

Add a one-time authorization rule to let the user obtain authorization for a mobile app or single-page application using the Client-Initiated Back-channel Authentication (CIBA) specification.

Before you begin

You must have a configured token provider and an OAuth client with the client-initiated backchannel authentication (CIBA) grant type enabled.

Steps

  1. Click Access and then go to Rules → Rules.

  2. Click Add Rule.

  3. In the Name field, enter a unique name, up to 64 characters long.

    Special characters and spaces are allowed.

  4. From the Type list, select One-Time Authorization.

  5. In the Client ID field, enter the Client ID of the OAuth client.

  6. Select a Client Credentials Type, then provide the information required for the selected credential type.

    Choose from:

    • Secret – In the Client Secret field, enter the secret used by the OAuth client to authenticate to the authorization server.

    • Mutual TLS – From the Mutual TLS list, select a configured Key Pair to use for Mutual TLS client authentication.

    • Private Key JWT – Select this option to use Private Key JSON web token (JWT). No additional information is required.

  7. From the Login Hint Request Attribute list, select an attribute.

    When a user authenticates, the value of this attribute is included in the call to the token provider. This attribute value can identify the user.

  8. Optional: In the Scopes field, enter or select a scope to request from the token provider. The openid scope is automatically requested.

  9. Optional: Click New Value to add additional fields.

  10. Optional: Click Show Advanced to configure advanced options:

  11. Optional: In the Requested Expiry (S) field, enter the transaction lifetime in seconds.

    If not specified, the value defined in the CIBA request policy is used.

  12. Optional: From the Timeout Rejection Handler list, select the handler to use for an expired request.

  13. Optional: From the Deny Rejection Handler list, select the handler to use for a denied request.

  14. Click Save.