PingOne Advanced Services

Authenticate using client credentials

To authenticate using client credentials, create a client credentials application in your PingOne environment and then generate an access token.

To set this up, you’ll need to:

We also recommend restricting access to this application to PingOne administrators. Learn more in Restricting access to the application.

In addition to the JWT Bearer token, the API uses role-based access control, as described in Administrative role mappings. The roles assigned to the accounts affect the results of the API calls.

Creating the client credentials application

Start by creating an OIDC application in PingOne.

Steps

  1. Go to Applications > Resources.

  2. Click the + icon.

  3. Create the resource by completing these fields:

    • Resource name: A unique identifier for the resource.

    • Description (optional): A brief characterization of the resource that helps identify it.

  4. Click Next.

  5. On the Attributes page, click Add to add a new attribute.

  6. Name the new attribute groups.

    Set the value to a hardcoded list of valid Self-Service roles. For example, {“dev-tls-admin”, “prod-tls-audit”}. You can find a complete list of these roles in Self-Service Roles.

    The Self-Service attribute must be set up for it to display in the list. You can find instructions on adding this attribute in Creating custom user attributes.

  7. Click Next.

  8. On the Scopes page, add a new scope to map the Self-Service role to the new application. Click Add Scope and complete the following fields:

    • Scope name: A unique identifier for the scope.

    • Description (optional): A brief characterization of the scope that helps identify it.

  9. Click Save.

  10. Now, add the OIDC application. Go to Applications > Applications.

  11. Click the + icon.

  12. Complete the following fields:

    • Application name: A unique identifier for the application.

    • Description (optional): A brief characterization of the application that helps identify it.

    • Icon (optional): A graphic representation of the application. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format.

  13. In the list of available application types, select OIDC Web App. Click Save.

  14. On the Configuration tab, click the Pencil icon to edit the configuration.

    • Change the Response Type to none by clearing all the options.

    • Change the Grant Type to Client Credentials.

  15. Click Save.

  16. On the Resources tab, click the Pencil icon to add the scope you added in step 8 to the application.

  17. Click Save and click the toggle for the application.

Generating the token

Access the new application in the PingOne console to generate an access token.

Steps

  1. Follow the steps outlined in Getting an access token in the PingOne documentation.

  2. Include the bearer token in the headers.

    Example
    {"Authorization": "Bearer {TOKEN}"}

Restricting access to the application

To ensure that only administrators can generate access tokens, restrict access to it.

Steps

  1. Select the application, click the Access tab, and then the Pencil icon.

  2. Select the Admin Only Access checkbox and click Save.