PingAccess simplifies adding OIDC and OAuth to
API-based web applications, such as single-page applications (SPAs).
In this configuration, PingAccess completely manages the OIDC authentication
for the SPA, maintains a cookie-based web session with the browser, and replaces the
cookie for an OAuth access token (or other identity mappings) before invoking the target
API. You must perform additional steps to support this configuration.
Configure Apigee to intercept calls for PingAccess:
In Apigee, go to Develop > API Proxies and click Create New.
On the Create Proxy page, click
No
Target.
In the Name field, enter
PingAccess.
In the Base Path field, enter
/pa.
In the Policies section of the
Navigator, click + to
add a policy.
Add a Flow Callout Policy, and in the
Shared Flow list, select
PingAuth.
Click Save.
Add
the Flow Callout Policy as a Request Step to the PreFlow of the Proxy
Endpoint.
Save and deploy the new proxy.
Add a Web+API application in PingAccess:
Go to Applications > Applications and click +Application.
Enter a Name, and then enter the
Context Root and select or create
Virtual
Host(s) values to match how the application’s APIs are
exposed from your Apigee environment.
Configure the web session:
In the Application Type list, select
Web+API.
Under Web Session, click
+Create.
Enter the web session details, including the OIDC sign on details
configured in your OIDC provider.
Note:
PingAccess can only manage the OIDC authentication
on behalf of the browser if PingAccess, through Apigee, is
configured as the redirect URL in your OIDC provider.
For example,
https://apigee.example.com/pa/oidc/cb.
Click Save to save the web session.
Under Web Identity Mapping, click
+Create.
Name the identity mapping Access Token, and choose the type
Web Session Access Token. This configures
PingAccess to forward the OAuth
Access Token it obtains from the OIDC provider Authorization Server as
the bearer token to the API behind Apigee.
Click Save.
In the Access Validation list, select the form of access
validation that will be applied for non-web API clients, such as mobile
applications.
Configure Apigee as the application destination:
In the Destination list, select
Sideband.
In the Sideband Client list, select the sideband
client that you created earlier.