PingOne Advanced Services

Authenticate using a client credentials flow

This API also supports the client credentials flow, which is designed for machine-to-machine (M2M) interactions, where an application needs to access resources without involving a user.

You can only use this type of flow if your PingOne environment is connected to your PingOne Advanced Services environment and both are correctly configured.

To set this up, you’ll need to:

  1. Create an OIDC application.

  2. Generate a token.

  3. Use the token to authenticate.

To ensure that only administrators can generate access tokens, restrict access to the application that you created. Learn more about this process in Restricting access to the application.

Creating an OIDC application

Start by creating an OpenID Connect (OIDC) application in PingOne.

Steps

  1. In the PingOne admin console, go to Applications > Resources.

  2. Click Add.

  3. Create the resource by completing these fields:

    • Resource name: A unique identifier for the resource.

    • Description (optional): A brief characterization of the resource that helps identify it.

  4. Click Next.

  5. On the Attributes page, click Add to add a new attribute.

  6. Name the new attribute groups.

    Enter the appropriate user access control roles.

    Set the values to a hard-coded list of valid roles.

Learn more about these roles and permissions in User access control roles.

+ NOTE: The PingOne Advanced Services attributes must be set up for them to display in the list. Learn more about adding this attribute in Creating custom user attributes.

  1. Click Next.

  2. On the Scopes page, add a new scope to map the PingAccess role to the new application. Click Add Scope and complete the following fields:

    • Scope name: A unique identifier for the scope.

    • Description (optional): A brief characterization of the scope that helps identify it.

  3. Click Save.

  4. Add the OIDC application. Go to Applications > Applications.

  5. Click the icon.

  6. Complete the following fields:

    • Application name: A unique identifier for the application.

    • Description (optional): A brief characterization of the application that helps identify it.

    • Icon (optional): A graphic representation of the application. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format.

  7. In the list of available application types, select OIDC Web App. Click Save.

  8. On the Configuration tab, click the Pencil icon to edit the configuration.

    • Change the Response Type to none by clearing all the options.

    • Change the Grant Type to Client Credentials.

  9. Click Save.

  10. On the Resources tab, click the Pencil icon to add the scope you added in step 8 to the application.

  11. Click Save and click the toggle at the top of the details panel to enable the application.

Generating a token

Access the new application in the PingOne admin console to generate an access token.

Steps

  1. Follow the steps outlined in Getting an access token in the PingOne documentation.

  2. Include the bearer token in the headers.

    For example, {"Authorization": "Bearer <TOKEN>"}.

Using the token to authenticate

Steps

If you’re using the API interactive documentation:

  1. Go to the following URL:

    https://self-service-api.<environment>-<customer>.<region>.ping.cloud/docs

  2. Click Authorize.

  3. Paste the token into the input field, click Authorize, and then click Close.

    All requests made from the interactive documentation will be authenticated.

If you’re using command-line tools, such as Postman or cURL, query the API directly and include the bearer token in the headers.

For example, {"Authorization": "Bearer <TOKEN>"}

Restricting access to the application

To ensure that only administrators can generate access tokens, restrict access to the application that you created.

Steps

  1. In the PingOne Advanced Services admin console, select the application, click the Access tab, and then click the Pencil icon.

  2. Select the Admin Only Access checkbox and click Save.