You must add an API proxy in Apigee.

This task only applies if you want to add OAuth authentication to the API proxy in Apigee. If you don't want to add an OAuth flow, proceed to Attaching the PingAuthorize Shared Flow to API proxies.

Note:

These steps reference the Apigee Edge documentation. As you proceed, use values that correspond to you and your Apigee environment instead of the suggested example values. If needed, consult the Apigee X documentation.

  1. Create an API product:
    1. Optional: Add scopes to the Allowed OAuth scopes field.
  2. Create a developer and an app.

    You can ignore the steps referring to the Key and Secret.

  3. Create an API proxy to generate an access token:
    1. Go to API Proxies > Create Proxy and click the No target tile.
    2. On the Proxy details page, enter /token in the Base path field.
    3. On the Common policies page, click Pass through (no authorization).

      You will configure the OAuth authentication in another step.

  4. Add the OAuth policy to the token proxy:
    1. In the Policies list on the Develop tab of the token proxy, click the + icon to add a policy.
    2. In the Security section, select the OAuthV2 policy.
    3. In the policy editor panel, add and define at least one custom attribute for your access token using the <Attribute> element inside of the <Attributes> element.
      Important:

      You must use one of the custom attributes added in this step to provide a value to the sub attribute in the PingAuth Shared Flow. The following example specifies the username attribute, but you can specify any custom attribute defined in this step.

      Screen capture of the OAuthV2 policy on the API Proxies page, with the custom attribute "username" defined in the policy editor
  5. Map a custom attribute value to the value of the sub attribute:
    1. Open the PingAuth Shared Flow in Apigee.
    2. In the Resources list, select the Prepare-Request.js file.
    3. Uncomment this line:
      validated_access_token_values["sub"] = context.getVariable('accesstoken.{custom_attribute}')
    4. Replace {custom_attribute} with the value of a previously defined custom attribute.