PingCentral

OAuth and OIDC application promotions

When promoting OAuth and OpenID Connect (OIDC) applications, application owners provide this information:

  • Redirect URIs: The trusted location that the application is redirected to with the authorization code or access token after the OAuth flow is complete. Redirect URIs are only required when promoting applications that use an authorization code and implicit grant types.

  • Client secret: Used if a client secret is required to authenticate the application. Application owners can generate a client secret or create one of their own.

To learn more about this process, see Promoting OAuth and OIDC applications in the PingCentral for Application Owners guide.

During the promotion process, the application name and description remains the same. If PingCentral identifies an identical client in PingFederate, the application JSON, along with the information that the application owner provides, overwrites the PingFederate OAuth client within the target environment. If the client doesn’t already exist, PingCentral creates all of the items defined in the application JSON, along with the information that the application owner provided.

If the Allow JSON editing for application promotions option is enabled for the environment, application owners are able to edit the underlying application JSON when they promote their OAuth client applications.

If OAuth clients have ATMs, OIDC policies, or scopes that conflict with the target environment during the promotion process, PingCentral does not change them because they could be shared across clients. Otherwise, PingCentral adds the ATMs, OIDC policies, and scopes specified in the original JSON file. If scopes are added, they’re defined as exclusive scopes and are associated with the client upon promotion.

While PingCentral does not promote the policy contract to persistent grant mappings, it promotes all access token mappings associated with the client, which are determined by the access token managers associated with the client. Only access token mappings that use the default, client credentials, or authentication policy contract contexts will be promoted.