Adding one-time authorization rules - PingAccess - 7.3


PingAccess 7.3

Add a one-time authorization rule to let the user obtain authorization for a mobile app or single-page application using the Client-Initiated Back-channel Authentication (CIBA) specification.

You must have a configured token provider and an OAuth clientOAuth clientThe application in an OAuth framework that requests access to resources. If the request is approved by the authorization server, the client is issued an access token for the resources. with the client-initiated backchannel authentication (CIBA)client-initiated backchannel authentication (CIBA)CIBA An extension to OpenID Connect defining a new OAuth grant type where user consent can be requested and granted through an out-of-band authentication flow. CIBA uses direct relying party to OpenID provider communication without redirects through the user's browser. grant type enabled.
  1. Click Access and then go to Rules > Rules.
  2. Click + Add Rule.
  3. In the Name field, enter a unique name, up to 64 characters long.

    Special characters and spaces are allowed.

  4. From the Type list, select One-Time Authorization.
  5. In the Client ID field, enter the Client ID of the OAuth client.
  6. Select a Client Credentials Type, then provide the information required for the selected credential type.
    • Secret – In the Client Secret field, enter the secret used by the OAuth client to authenticate to the authorization server.
    • Mutual TLS – From the Mutual TLS list, select a configured Key Pair to use for Mutual TLS client authentication.
    • Private Key JWT – Select this option to use Private Key JSON web token (JWT). No additional information is required.
  7. From the Login Hint Request Attribute list, select an attribute.

    When a user authenticates, the value of this attribute is included in the call to the token provider. This attribute value can identify the user.

  8. Optional: In the Scopes field, enter or select a scope to request from the token provider. The openid scope is automatically requested.
    1. Optional: Click + New Value to add additional fields.
  9. Optional: Click Show Advanced to configure advanced options:
    1. Optional: In the Requested Expiry (S) field, enter the transaction lifetime in seconds.

      If not specified, the value defined in the CIBA request policy is used.

    2. Optional: From the Timeout Rejection Handler list, select the handler to use for an expired request.
    3. Optional: From the Deny Rejection Handler list, select the handler to use for a denied request.
  10. Click Save.