PingAccess

OpenID Connect endpoints

Specific endpoints are needed for PingFederate or another token provider to interface with PingAccess using the OpenID Connect (OIDC) protocol.

These endpoints are available on the engine.http.port and agent.http.port ports defined in the <PA_HOME>/conf/run.properties file.

If you selected the Use context root as reserved resource base path check box on your PingAccess application, this feature creates an instance of any reserved PingAccess resources under the application’s context root. As such, the context root of the application needs to prepend the reserved context application root (/pa by default) in any file paths that reference it.

If the context root of your application is myApp, the paths to the OIDC endpoints would be:

  • /myApp/pa/oidc/logout

  • /myApp/pa/oidc/cb

  • /myApp/pa/oidc/JWKS

  • /myApp/pa/oidc/logout.png

/pa/oidc/cb

The /pa/oidc/cb endpoint, along with the application virtual host, becomes the redirect Uniform Resource Identifier (URI) for the token provider configuration on the client.

/pa/oidc/deviceAuthzGrantPoll

PingAccess uses the /pa/oidc/deviceAuthzGrantPoll endpoint to check if the token provider has received a response from a user’s device and authenticated their request for access. Polling begins on the Continue on another device page after a user visits the Connect a device page and approves the user code submission.

Learn more in the Device authorization grant system-provided ACP and the Device authorization challenge ACR generator description.

/pa/oidc/JWKS

The token provider’s JSON Web Token (JWT) token processor uses the /pa/oidc/JWKS endpoint to verify signatures.

This endpoint must be used alongside a JWT token processor instance in the token provider configuration. If using PingFederate as the token provider, learn more in Configuring JSON token management in the PingFederate documentation.

/pa/oidc/logout

The pa/oidc/logoutendpoint clears the browser cookie containing the PingAccess token. This enables end users to trigger the removal of their own PingAccess cookie from the browser they’re using, which redirects them to the Logged out page.

You can modify the Logged out page template in the <PA_HOME>/conf/template/general.loggedout.page.template.html file.

This endpoint doesn’t retain any server-side state to indicate sign-off status.

  • If you selected the Use Single-Logout option when configuring the token provider, this endpoint also sends a sign-off request to the token provider, completing a full single logout (SLO) flow.

  • If you didn’t select the Use Single-Logout option when configuring the token provider, this endpoint clears the cookie only from the requested host or domains. This means that the cookie might still exist in requests bound for other hosts or domains.

/pa/oidc/logout.png

The token provider uses the /pa/oidc/logout.png endpoint to initiate sign off from PingAccess alongside SLO functionality. This stops the PingAccess token across domains.