OAuth Consent Management Service
PingFederate includes a REST-based web service to manage OAuth consent administratively.
The OAuth consent management service enables retrieval and revocation of consent and their associated attributes on a per-client or per-resource owner basis.
Beginning with PingFederate 12.1, the authorizationDetails
JSON field in responses from this endpoint has been deprecated in favor of the authorizationDetail
and authroizationDetailDescription
fields.
Client records must be stored in an external client data store. |
Applications must authenticate to this web service using HTTP Basic authentication and credentials validated through an instance of a password credential validator (PCV). The PCV instance, in turn, must be selected in the OAuth authorization server (AS) configuration.
Before using this endpoint, go to System → OAuth Settings → Authorization Server Settings and select the Bypass Authorization for Previously Approved Consents check box. The endpoint will not return consents unless this option is enabled. |
Endpoints
- Manage by client
-
/pf-ws/rest/oauth/clients/<clientId>/consents<consentId>]
- Manage by user (based on the USER_KEY value)
-
/pf-ws/rest/oauth/users/<userKey>/consents<consentId>]
- Parameters
Parameter | Description | ||
---|---|---|---|
|
The client ID for which to retrieve or revoke consents. Required to manage consents for a specific client. |
||
|
The Required to manage consents for a specific resource owner.
|
||
|
The The value corresponds to the value of the
|
- Cross Site Request Forgery Protection
-
Both endpoints require the
X-XSRF-HEADER
HTTP header with any value to prevent cross-site request forgery. - Example
-
- Sample request
A request to retrieve all consents for a client with an ID value of ac_oic_client
.
GET /pf-ws/rest/oauth/clients/ac_oic_client/consents HTTP/1.1 Host: localhost:9031 Authorization: Basic YWRtaW46MkZlZGVyYXRl X-XSRF-HEADER: PingFederate
- Sample response
{
"items": [
{
"id": "JDu17McN2ZFDANnHKtpATmrKjHISDVpW",
"userKey": "asmith",
"scope": "openid",
"clientId": "ac_oic_client",
"created": "2023-12-04T20:05:10.000Z",
"updated": "2023-12-04T20:05:10.000Z"
},
{
"id": "d1fGI9yFwRJrsxurEw0fX7WMFX22uoEW",
"userKey": "asmith",
"scope": "profile",
"clientId": "ac_oic_client",
"created": "2023-12-04T20:05:10.000Z",
"updated": "2023-12-04T20:05:10.000Z"
}
]
}
Code | Description |
---|---|
|
Success |
|
Success with no content returned Returned when revoking a consent. |
|
Invalid Credentials The user does not exist, the password is incorrect, or the user account is locked. |
|
Not Found Returned when the requested consent or client is not found. |
|
Internal Server Error An unknown error has occurred. |
Logging
PingFederate records the actions performed through this endpoint in the runtime-api.log
file. While the events themselves are not configurable, you can adjust the log4j2.xml
configuration settings to alter the format and desired level of detail surrounding each event.
Each log entry contains information relating to the event, including:
-
Time the event occurred on the PingFederate server
-
Administrator username performing the action
-
Authentication method
-
Client IP
-
HTTP method
-
REST endpoint
-
HTTP status code
Each of the above fields is separated by a vertical pipe (|
) for ease of parsing.