Editing a resource

Use the Resources page to modify existing resources in PingOne.

You can enable an OIDC-based application to request scopes from multiple resources in a single request. Learn more about the Request scopes to access multiple resources option in Editing an application - OIDC.

Steps

In the PingOne admin console, go to Applications > Resources and browse or search for the resource you want to edit.

The results list updates as you enter the search query. The current resources are shown in the list.
Click a resource entry to open the details panel for the resource.

On the Overview tab, click the Pencil icon () and enter or edit the following:

Field Description

Field	Description
Resource Name	A unique identifier for the resource.
Audience (optional)	The intended audience for the resource. If you don’t provide a value, PingOne defaults to the resource name.
Description (optional)	A brief description of the resource.
Access token time to live (seconds)	The maximum time, in seconds, that the access token will be valid for use in the application.
Token Introspection Endpoint Authentication Method	Specifies how to authenticate using the client credentials for the application to which the token was issued. You can select from: `None` `Client secret basic` `Client secret post` `Client secret JWT` `Private key JWT` For `Private key JWT`, select JWKS URL or JWKS. Provide either the URL where PingOne can retrieve the JSON Web Key Set (JWKS) or the web key set itself.

Resource Name

A unique identifier for the resource.

Audience (optional)

The intended audience for the resource. If you don’t provide a value, PingOne defaults to the resource name.

Description (optional)

A brief description of the resource.

Access token time to live (seconds)

The maximum time, in seconds, that the access token will be valid for use in the application.

Token Introspection Endpoint Authentication Method

Specifies how to authenticate using the client credentials for the application to which the token was issued. You can select from:

None
Client secret basic
Client secret post
Client secret JWT
Private key JWT

For Private key JWT, select JWKS URL or JWKS. Provide either the URL where PingOne can retrieve the JSON Web Key Set (JWKS) or the web key set itself.

On the Attributes tab, map resource attributes to user attributes in PingOne.

Enter a resource attribute and then select the corresponding PingOne attribute from the list.

For example, you could map the OIDC family_name attribute to the PingOne Family Name attribute.

Resources can use JSON attributes in their attribute mappings. You can use these attributes to pass complex information to applications through an access token. Learn more in Adding user attributes.

(Optional) Click the Gear icon () to use advanced expressions. Learn more in Using the expression builder.

(Optional) Select the Required checkbox to make the attribute required.

For any attributes except the sub attribute

If it can’t find a value for an attribute set as required, PingOne doesn’t issue an access token for the resource and instead issues an error message in the token response.

For the sub attribute

The following table lists how PingOne handles the sub attribute based on whether it’s set as required and what grant type the application is using:

sub set as required? Application grant type If PingOne can’t find an attribute mapping value?

`sub` set as required?	Application grant type	If PingOne can’t find an attribute mapping value?
Yes	Any grant type requiring user interaction, such as authorization code	PingOne doesn’t issue an access token for the resource and instead issues an error message in the token response.
Yes	Client credentials	PingOne doesn’t issue an access token for the resource and instead issues an error message in the token response.
No	Any grant type requiring user interaction	PingOne populates the `sub` attribute with the PingOne user ID of the authenticated user.
No	Client credentials	PingOne returns an access token without including the `sub` attribute.

Yes

Any grant type requiring user interaction, such as authorization code

PingOne doesn’t issue an access token for the resource and instead issues an error message in the token response.

Yes

Client credentials

PingOne doesn’t issue an access token for the resource and instead issues an error message in the token response.

Any grant type requiring user interaction

PingOne populates the sub attribute with the PingOne user ID of the authenticated user.

Client credentials

PingOne returns an access token without including the sub attribute.

To add more attributes, click Add and enter an attribute and the corresponding PingOne mapping. Learn more in Mapping attributes.
To delete an attribute, click the Delete icon () for the appropriate attribute.
Click Save.

On the Scopes tab:
1. Locate the scope you want to edit, and then click .
2. Enter or edit the Scope Name and Description.
3. (Optional) To add a scope, click Add Scope, and enter the Scope Name and Description and any mapped attributes to which you want the scope to have access.
4. Click Save.
(Optional) On the Permissions tab:
1. Click the Include user permissions in Access Token toggle to include application permissions in access tokens created for this resource.
  
  To enable the Permissions tab, add PingOne Authorize to your environment.
  
  Permissions for the authenticated user will be included in the p1.permissions claim in the access token. Learn more in Application permissions.
2. To add an application resource and permissions, click Add Permissions.
  
  Learn more in Adding application permissions.
3. To edit an application resource, click next to the application resource.
  - Edit the application resource Name and Description.
  - To add a permission, click Add and enter an Action and Description for the permission.
  - Edit the Action and Description for existing permissions.
  - To delete a permission, click next to the permission.
4. (Optional) To delete an application resource, click next to the application resource.
5. Click Save.