PingFederate Server

Configuring support for OAuth rich authorization requests

You can configure PingFederate to support rich authorization requests from OAuth clients.

Before you begin

Review the SDK documentation for the com.pingidentity.sdk.authorizationdetails package. You can find the SDK documentation in the <pf_install>/pingfederate/sdk/doc directory or in the compiled PingFederate Server SDK documentation.

Steps

  • Use the PingFederate SDK to develop an authorization detail processor plugin that can process the authorization detail type you want to support.

    PingFederate does not include any authorization detail processors because handling the authorization details depends on your requirements and use cases.

Configuring authorization detail processors

Authorization detail processors are custom plugins you can develop and configure to support rich authorization requests.

Before you begin

You must have an authorization detail processor plugin that can process the authorization detail type you want to support.

About this task

To configure an authorization detail processor instance:

Steps

  1. In PingFederate, go to System → OAuth Settings → Authorization Detail Processors.

  2. In the Authorization Detail Processors window, click Create New Instance.

    Result:

    The Create Authorization Detail Processor Instance window opens.

  3. On the Type tab:

    1. Enter an Instance Name and unique Instance ID.

    2. Select an Authorization Detail Processor Type.

    3. Optional: If other instances exist, select one of them as a Parent Instance on which to base this new instance.

  4. On the Instance Configuration tab, configure the authorization detail processor instance.

    The tab’s settings are determined by the plugin for the Authorization Detail Processor Type that you selected on the Type tab.

  5. On the Summary tab, review the settings. Click Save.

    The Summary tab shows the Class Name and Supported Authorization Details Types, which are determined by your custom plugin.
    Screen capture of the Summary tab of the Create Authorization Detail Processor Instance window

Configuring authorization detail types

Before you begin

PingFederate must have an instance of an authorization detail processor that can process the authorization detail type that you’re configuring.

If you need information about the authorization detail processor instance when configuring an authorization detail type, go to the System → OAuth Settings → Authorization Detail Processors window, open the instance, and go to the Create Authorization Detail Processor Instance window and select the Summary tab.

About this task

To support rich authentication requests from OAuth clients, you must configure an authorization detail type for each type that you want PingFederate to support:

Steps

  1. In PingFederate, go to System → OAuth Settings → Authorization Detail Types.

  2. In the Authorization Detail Types window, click Add Authorization Detail Type.

  3. In the Add an Authorization Detail Type window:

    1. In the Type field, enter the name of a supported authorization detail type.

    2. Enter a Description for the authorization detail type.

    3. Select the Authorization Detail Processor instance to handle the authorization detail type.

    4. Click Save.

    Screen capture of the Add an Authorization Detail Type window

Next steps

To complete your configuration:

  1. Configure the external content user interface, adding an External Consent Authorization Details Attribute.

  2. Configure the OAuth client, selecting the check boxes for Allow Authorization Details and the authorization detail type that you configured in the Add an Authorization Detail Type window in step 3 of this topic.