--- title: "Supporting Web+API Applications" description: PingAccess simplifies adding OpenID Connect (OIDC) and OAuth to API-based web applications, such as single-page applications (SPAs). component: pingaccess version: 9.0 page_id: pingaccess:agents_and_integrations:pa_apigee_supporting_web_and_api_applications canonical_url: https://docs.pingidentity.com/pingaccess/9.0/agents_and_integrations/pa_apigee_supporting_web_and_api_applications.html revdate: July 28, 2025 section_ids: about-this-task: About this task steps: Steps --- # Supporting **Web+API** Applications PingAccess simplifies adding OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* and OAuth *(tooltip: \
\

A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\

\
)* to API-based web applications, such as single-page applications (SPAs). ## About this task In this configuration, PingAccess completely manages the OIDC authentication for the SPA, maintains a cookie-based web session with the browser, and replaces the cookie for an OAuth access token *(tooltip: \
\

A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources.\

\
)* (or other identity mappings) before invoking the target API. You must perform additional steps to support this configuration. ## Steps 1. Configure Apigee to intercept calls for PingAccess. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you selected the **Use context root as reserved resource base path** checkbox on the PingAccess application you plan to use in conjunction with Apigee, skip ahead to step 2. When enabled, this feature provides reserved PingAccess resources from that application's context root, which makes step 1 unnecessary. | 1. In Apigee, go to **Develop > API Proxies** and click **Create New**. 2. On the **Create Proxy** page, click **No Target**. 3. In the **Name** field, enter `PingAccess`. 4. In the **Base Path** field, enter `/pa`. ![A screen capture showing the Proxy Details page with in the Name field and /pa in the Base path field.](_images/mxw1655138676203.png) 5. In the **Policies** section of the **Navigator**, click **[icon: plus, set=fa]**to add a policy. 6. Add a **Flow Callout Policy**, and in the **Shared Flow** list, select **PingAuth**. 7. Click **Save**. 8. In the **Proxy Endpoints** section of the navigator, select **PreFlow**, then add the flow callout policy as a **Request Step**. ![A screen capture showing the Flow Callout Policy in the PreFlow tab.](_images/rud1655139923648.png) 9. Save and deploy the new proxy. 2. Add a **Web+API** application in PingAccess: 1. Go to **Applications > Applications** and click **[icon: plus, set=fa]Application**. 2. Enter a **Name**, and then enter the **Context Root** and select or create **Virtual Host(s)** values to match how the application's APIs are exposed from your Apigee environment. | | | | - | ------------------------------------------------------------------------------------ | | | To create a Virtual Host, click **[icon: plus, set=fa]Create** below the field name. | ![A screen capture showing the top of the configured application. The Name, Context Root, and Virtual Host(s) fields are filled out accordingly.](_images/zoq1655140329458.png) 3. Configure the web session: 1. In the **Application Type** list, select **Web+API**. 2. To create a **Web Session**, click **[icon: plus, set=fa]Create** below the field name. 3. Enter the web session details, including the OIDC sign-on details configured in your OpenID Provider (OP) *(tooltip: \
\

In OAuth terms, an authorization server (AS). The OP/AS issues access tokens to protected resources for approved clients (relying parties). The clients use the access token to access the protected resources hosted by the OAuth resource server.\

\
)*. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | PingAccess can only manage the OIDC authentication on behalf of the browser if PingAccess, through Apigee, is configured as the redirect URL in your OIDC provider.For example, `https://apigee.example.com/pa/oidc/cb`. | 4. Click **Save** to save the web session. 5. To create a **Web Identity Mapping**, click **[icon: plus, set=fa]Create** below the field name. 6. Name the identity mapping `Access Token` and select **Web Session Access Token** as the **Type**. This configures PingAccess to forward the OAuth Access Token it obtains from the OIDC provider Authorization Server as the bearer token to the API behind Apigee. 7. Click **Save**. ![A screen capture showing the configured web session.](_images/mqd1655140527285.png) 4. In the **Access Validation** list, select the form of access validation to apply for non-web API clients, such as mobile applications. 5. Configure Apigee as the application destination: 1. In the **Destination** list, select **Sideband**. 2. In the **Sideband Client** list, select the sideband client that you created earlier. 3. Click **Save**. ![A screen capture showing the Destination field with Sideband selected as the destination. Apigee is selected in the Sideband Client field.](_images/quk1655140898170.png)