PingOne

Configuring a redirect for a device custom verification URI

If the Device Custom Verification URI setting is configured for a device authorization application, the administrator must configure a redirect to which PingOne forwards the OIDC response after authentication.

About this task

The format of the redirect depends on a combination of two factors:

  • Is a custom domain configured for the environment?

  • Is the Device Path ID configured for the application?

Steps

  • Configure your redirects based on the information in the following table:

+[caption=] .Redirect formats for device custom verification URI

Custom domain configured for the environment? Device Path IDconfigured? Valid formats for redirects

Yes

Yes

  • https://<customDomain>/device/<clientId>?user_code=<userCode>

  • https://<customDomain>/device/<clientId>

  • https://<customDomain>/device/<devicePathId>?user_code=<userCode>

  • https://<customDomain>/device/<devicePathId>

  • https://<customDomain>/device?user_code=<userCode>

  • https://<customDomain>/device

Yes

No

  • https://<customDomain>/device/<clientId>?user_code=<userCode>

  • https://<customDomain>/device/<clientId>

  • https://<customDomain>/device?user_code=<userCode>

  • https://<customDomain>/device

No

Yes

  • https://auth.pingone.<region>/device/<clientId>?user_code=<userCode>

  • https://auth.pingone.<region>/device/<clientId>

  • https://auth.pingone.<region>/device/<devicePathId>?user_code=<userCode>

  • https://auth.pingone.<region>/device/<devicePathId>

  • https://auth.pingone.<region>/device?user_code=<userCode>

  • https://auth.pingone.<region>/device

No

No

  • https://auth.pingone.<region>/device/<clientId>?user_code=<userCode>

  • https://auth.pingone.<region>/device/<clientId>

  • https://auth.pingone.<region>/device?user_code=<userCode>

  • https://auth.pingone.<region>/device

The clientId path is safer because that value does not change (devicePathId can change). In addition, a redirect to /device without a clientId or devicePathId is not recommended because the application’s configured sign-on policy can’t be used. However, if you use the same Device Custom Verification URI value for two separate applications, then a redirect to /device is needed, and the flow uses the environment’s default sign-on policy.

Example:

+ For example, if the custom domain for the environment is set to acme-corporation.com, the Device Custom Verification URI for the application is set to https://acme.com/go, and the client ID for the application is c78dbdd0-cc2c-42fa-b275-486503c30d2b, the workflow is:

  1. The end user enters the short URL, such as https://acme.com/go, in a browser to start the activation flow.

  2. Outside of PingOne, the administrator has configured the following redirect to redirect the browser and start the device authorization flow: https://acme-corporation.com/device/c78dbdd0-cc2c-42fa-b275-486503c30d2b.

  3. In PingOne, the flow redirects to https://acme-corporation.com/signon?flowId=03f3581c-7fee-4bf5-adb1-ed056d31ce91 to start the PingOne flow.

Next steps

For more information about configuring your device authorization application, see Editing an application - Device authorization.