Page created: 27 Jul 2022
|
Page updated: 6 Feb 2023
| 2 min read
7.2 PingAccess Product IT Administrator Administrator Audience Web Access Management Access security Capability Administration User task Product documentation Content Type API Access Management API Security
Add a one-time authorization rule to let the user obtain authorization for a mobile app or single-page application using the Client-Initiated Back-channel Authentication (CIBA) specification.
- Click Access and then go to Rules > Rules.
- Click + Add Rule.
-
In the Name field, enter a unique name, up to 64
characters long.
Special characters and spaces are allowed.
- From the Type list, select One-Time Authorization.
- In the Client ID field, enter the Client ID of the OAuth client.
-
Select a Client Credentials Type, then provide the
information required for the selected credential type.
- Secret – In the Client Secret field, enter the secret used by the OAuth client to authenticate to the authorization server.
- Mutual TLS – From the Mutual TLS list, select a configured Key Pair to use for Mutual TLS client authentication.
- Private Key JWT – Select this option to use Private Key JSON web token (JWT). No additional information is required.
-
From the Login Hint Request Attribute list, select an
attribute.
When a user authenticates, the value of this attribute is included in the call to the token provider. This attribute value can identify the user.
- Optional:
In the Scopes field, enter or select a scope to request
from the token provider. The
openid
scope is automatically requested.- Optional: Click + New Value to add additional fields.
- Optional:
Click Show Advanced to configure advanced options:
- Optional:
In the Requested Expiry (S) field, enter the
transaction lifetime in seconds.
If not specified, the value defined in the CIBA request policy is used.
- Optional: From the Timeout Rejection Handler list, select the handler to use for an expired request.
- Optional: From the Deny Rejection Handler list, select the handler to use for a denied request.
- Optional:
In the Requested Expiry (S) field, enter the
transaction lifetime in seconds.
- Click Save.